From 4c0d7f41b0c527b57dab2d791082e95c59d9c95e Mon Sep 17 00:00:00 2001 From: Patrick Date: Wed, 24 Jul 2024 13:52:36 +0200 Subject: [PATCH] merged with develop --- data_sources/AWS_CloudWatchLogs_VPCflow.yml | 6 +++--- dist/api/detections.json | 6 +----- dist/api/lookups.json | 2 +- dist/api/macros.json | 2 +- dist/api/stories.json | 6 +----- dist/api/version.json | 6 +----- .../ssa___create_local_admin_accounts_using_net_exe.yml | 8 ++++---- .../ssa___create_local_user_accounts_using_net_exe.yml | 8 ++++---- dist/ssa/srs/ssa___deleting_shadow_copies.yml | 8 ++++---- ...xecutable_file_written_in_administrative_smb_share.yml | 2 +- lookups/data_sources.csv | 2 ++ 11 files changed, 23 insertions(+), 33 deletions(-) diff --git a/data_sources/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/AWS_CloudWatchLogs_VPCflow.yml index 93c530b714..b25ef8f89e 100644 --- a/data_sources/AWS_CloudWatchLogs_VPCflow.yml +++ b/data_sources/AWS_CloudWatchLogs_VPCflow.yml @@ -8,9 +8,9 @@ source: aws_cloudwatchlogs_vpcflow sourcetype: aws:cloudwatchlogs:vpcflow separator: eventName supported_TA: - name: Splunk Add-on for Amazon Web Services (AWS) - version: 7.4.1 - url: https://splunkbase.splunk.com/app/1876 + - name: Splunk Add-on for Amazon Web Services (AWS) + version: 7.4.1 + url: https://splunkbase.splunk.com/app/1876 fields: - _raw - _time diff --git a/dist/api/detections.json b/dist/api/detections.json index 449e4f3b92..cb8c91ee02 100644 --- a/dist/api/detections.json +++ b/dist/api/detections.json @@ -1,5 +1 @@ -<<<<<<< HEAD -{"detections": [{"name": "CrushFTP Server Side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "description": "This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "tags": {"analytic_story": ["CrushFTP Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`crushftp` | rex field=_raw \"\\[(?HTTPS|HTTP):(?[^\\:]+):(?[^\\:]+):(?\\d+\\.\\d+\\.\\d+\\.\\d+)\\] (?READ|WROTE): \\*(?[A-Z]+) (?[^\\s]+) HTTP/[^\\*]+\\*\" | eval message=if(match(_raw, \"INCLUDE\") and isnotnull(src_ip), \"traces of exploitation by \" . src_ip, \"false\") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`", "how_to_implement": "CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs.", "known_false_positives": "False positives should be limited, however tune or filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "crushftp", "definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "crushftp_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Login Attempts to Routers", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "description": "The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Risky SPL using Pretrained ML Model", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "date": "2024-05-26", "version": 2, "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "description": "The following analytic identifies potentially risky SPL commands executed by users. It leverages a pretrained machine learning text classifier that analyzes command text, user, and search type to assign a risk score between 0 and 1. This detection is significant as it helps identify suspicious or unauthorized search activities that could indicate malicious intent or misuse of the Splunk environment. If confirmed malicious, such activity could lead to unauthorized data access, data exfiltration, or further exploitation of the system.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email Attachments With Lots Of Spaces", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "description": "The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email files written outside of the Outlook directory", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 4, "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "description": "The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email servers sending high volume traffic to hosts", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "description": "The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "application", "nes_fields": null, "macros": [{"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Monitor Email For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-04-16", "version": 3, "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "description": "The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "No Windows Updates in a time frame", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "description": "The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "datamodel": ["Updates"], "source": "application", "nes_fields": null, "macros": [{"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "description": "The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]\"", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials.", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta IDP Lifecycle Modifications", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "description": "The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.", "references": ["https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]\"", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1087.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (\"system.idp.lifecycle.activate\",\"system.idp.lifecycle.create\",\"system.idp.lifecycle.delete\",\"system.idp.lifecycle.deactivate\") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_idp_lifecycle_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta MFA Exhaustion Hunt", "author": "Michael Haag, Marissa Bower, Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "description": "The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "description": "The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor \"OKTA_VERIFY_PUSH.\" The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems.", "references": ["https://attack.mitre.org/techniques/T1621", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "description": "The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.", "references": ["https://attack.mitre.org/techniques/T1556/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype=\"OktaIM2:log\" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Multiple Accounts Locked Out", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "description": "The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.", "risk_score": 49, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_multiple_accounts_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "author": "John Murphy, Okta, Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "description": "The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1550.004", "T1538"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "description": "The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1110.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action=\"failure\" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta New API Token Created", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "description": "The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta New Device Enrolled on Account", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "description": "The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.", "risk_score": 24, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is possible that the user has legitimately added a new device to their account. Please verify this activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "description": "The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason \"FastPass declined phishing attempt.\" This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_id": ["T1078", "T1078.001", "T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Risk Threshold Exceeded", "author": "Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-28", "version": 3, "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "description": "The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from \"Suspicious Okta Activity,\" \"Okta Account Takeover,\" and \"Okta MFA Exhaustion\" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "User", "role": ["Victim"]}], "message": "Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1110"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN (\"Okta Account Takeover\", \"Suspicious Okta Activity\",\"Okta MFA Exhaustion\") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name(\"All_Risk\")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "This search leverages the Risk Framework from Enterprise Security. Ensure that \"Suspicious Okta Activity\", \"Okta Account Takeover\", and \"Okta MFA Exhaustion\" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed.", "known_false_positives": "False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.", "datamodel": ["Risk"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Successful Single Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 2, "id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "description": "The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where \"Okta Verify\" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment.", "references": ["https://sec.okta.com/everythingisyes", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$].", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !=\"Okta Verify\" | `okta_successful_single_factor_authentication_filter`", "how_to_implement": "This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Suspicious Activity Reported", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 3, "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "description": "The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities.", "known_false_positives": "False positives should be minimal, given the high fidelity of this detection. marker.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Suspicious Use of a Session Cookie", "author": "Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 3, "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "description": "The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"analytic_story": ["Okta Account Takeover", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1539"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur, depending on the organization's size and the configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Threat Detected", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "description": "The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "app", "type": "Endpoint", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Unauthorized Access to Application", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "5f661629-9750-4cb9-897c-1f05d6db8727", "description": "The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1087.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action=\"failure\" by _time Authentication.src Authentication.user | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_unauthorized_access_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta User Logins from Multiple Cities", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 2, "id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "description": "The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1586.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Path traversal SPL injection", "author": "Rod Soto, Splunk", "date": "2024-05-26", "version": 3, "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "description": "The following analytic identifies attempts at path traversal in search parameters, which can lead to SPL injection. It detects this activity by searching for specific patterns in the `_internal` index that indicate path traversal attempts (e.g., \"../../../../\"). This activity is significant for a SOC because it can allow an attacker to manipulate the application to load data from incorrect endpoints, potentially running arbitrary SPL queries. If confirmed malicious, this could lead to unauthorized data access, code execution, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "author": "Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "description": "The following analytic identifies potential persistent Cross-Site Scripting (XSS) attacks in Splunk Enterprise 9.0 versions before 9.0.4 through user interface views. It leverages audit logs from the `audit_searches` data source to detect actions involving Base64-encoded images in error messages. This activity is significant because it can allow attackers to inject malicious scripts that execute in the context of other users, leading to unauthorized actions or data exposure. If confirmed malicious, this could result in persistent control over the affected Splunk instance, compromising its integrity and confidentiality.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Mismatch Auth Source and Verification Response", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "description": "The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$].", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` (\"result.status\" IN (\"SUCCESS*\",\"FAIL*\",\"UNSUCCESSFUL*\") NOT \"result.message\" IN (\"*pair*\",\"*create*\",\"*delete*\")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` (\"result.status\" IN (\"POLICY\") AND \"resources{}.ipaddress\"=*) AND \"result.message\" IN(\"*Action: Authenticate*\",\"*Action: Approve*\",\"*Action: Allowed*\") | rex field=result.message \"IP Address: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Action: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application Name: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application ID: (?:N\\/A)?(?.+)?\\n\" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by users working out the geographic region where the organizations services or technology is hosted.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_mismatch_auth_source_and_verification_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PingID Multiple Failed MFA Requests For User", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "c1bc706a-0025-4814-ad30-288f38865036", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.", "references": ["https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621", "T1078", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.status\" IN (\"FAILURE,authFail\",\"UNSUCCESSFUL_ATTEMPT\") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PingID New MFA Method After Credential Reset", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "description": "The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677", "https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`", "how_to_implement": "Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_after_credential_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "PingID New MFA Method Registered For User", "author": "Steven Dick", "date": "2024-05-07", "version": 2, "id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$], the device [$object$] was $action$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\"=\"Device Paired*\" result.status=\"SUCCESS\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "author": "Rod Soto", "date": "2024-05-17", "version": 2, "id": "356bd3fe-f59b-4f64-baa1-51495411b7ad", "description": "The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0806"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attack against splunk_server $splunk_server$ through abuse of the runshellscript command", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *runshellscript* | eval log_split=split(_raw, \"runshellscript: \") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,\"\\[\",\"\"),\"\\]\",\"\"),\"'\",\"\") | eval array_indices=split(data_cleaned,\",\") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != \"*C:*\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter`", "how_to_implement": "Must have access to internal indexes. Only applies to Splunk on Windows versions.", "known_false_positives": "The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_absolute_path_traversal_using_runshellscript_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "description": "The following analytic identifies the presence of environment variables in Splunk dashboard drilldown URLs. It uses the REST API to query dashboards for specific patterns in the XML data. This activity is significant because it can expose sensitive tokens from privileged users if an attacker shares a malicious dashboard. If confirmed malicious, this could allow an attacker to detokenize variables and potentially gain unauthorized access to sensitive information or escalate privileges within the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 2, "id": "a053e6a6-2146-483a-9798-2d43652f3299", "description": "The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "eai:acl.app", "type": "Other", "role": ["Victim"]}], "message": "Please review $eai:acl.app$ for possible malicious lookups", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`", "how_to_implement": "Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable.", "known_false_positives": "This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "author": "Rod Soto, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "9a67e749-d291-40dd-8376-d422e7ecf8b5", "description": "The following analytic identifies exposed authentication tokens in debug logs within Splunk Enterprise. It leverages logs from the `splunkd` component with a DEBUG log level, specifically searching for event messages that validate tokens. This activity is significant because exposed tokens can be exploited by attackers to gain unauthorized access to the Splunk environment. If confirmed malicious, this exposure could lead to unauthorized data access, privilege escalation, and potential compromise of the entire Splunk infrastructure. Monitoring and addressing this vulnerability is crucial for maintaining the security and integrity of the Splunk deployment.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0301"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible JsonWebToken exposure, please investigate affected $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1654"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=JsonWebToken log_level=DEBUG eventtype=\"splunkd-log\" event_message=\"Validating token:*\" | rex \"Validating token: (?.*)\\.$\" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter`", "how_to_implement": "Requires access to internal Splunk indexes.", "known_false_positives": "Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9", "datamodel": ["Web"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_authentication_token_exposure_in_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "author": "Rod Soto", "date": "2024-05-24", "version": 2, "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "description": "The following analytic identifies attempts to exploit a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated user can execute arbitrary code via the dashboard PDF generation component. It detects this activity by analyzing events in the _internal index with the file=export parameter. This behavior is significant because it indicates a potential code injection attack, which could lead to remote code execution (RCE). If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary commands, and potentially compromise the entire Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "description": "The following analytic detects the use of the 'delete' command in Splunk, which can be used to remove queried data. This detection leverages the Splunk Audit data model, specifically monitoring ad-hoc searches containing the 'delete' command by non-system users. This activity is significant because the 'delete' command is rarely used and can indicate potential data tampering or unauthorized data removal. If confirmed malicious, this activity could lead to the loss of critical log data, hindering incident investigations and compromising the integrity of the monitoring environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "description": "The following analytic identifies the execution of risky commands within the Splunk platform, such as `runshellscript`, `delete`, and `sendemail`. It leverages the Search_Activity data model to detect ad hoc searches containing these commands, excluding those run by the splunk-system-user. This activity is significant because it may indicate attempts at data exfiltration, deletion, or other unauthorized actions by a malicious user. If confirmed malicious, this could lead to data loss, unauthorized data transfer, or system compromise, severely impacting the organization's security posture.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json", "https://advisory.splunk.com/advisories/SVD-2024-0302"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "date": "2024-05-15", "version": 2, "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "description": "The following analytic identifies the execution of risky SPL commands with abnormally long run times by leveraging a machine learning model named \"risky_command_abuse.\" It uses the Splunk Audit data model to compare current search activities against a baseline of the past seven days. This activity is significant for a SOC as it can indicate potential misuse or abuse of powerful SPL commands, which could lead to unauthorized data access or system manipulation. If confirmed malicious, this activity could allow an attacker to execute arbitrary scripts, delete data, or exfiltrate sensitive information.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "description": "The following analytic identifies attempts to exploit a cross-site request forgery (CSRF) vulnerability in the Splunk Secure Gateway (SSG) app's kvstore_client endpoint. It detects GET requests to the vulnerable endpoint using internal index data, focusing on specific URI paths and HTTP methods. This activity is significant because it can allow unauthorized updates to SSG KV store collections, potentially leading to data manipulation or unauthorized access. If confirmed malicious, this could enable attackers to alter critical configurations or exfiltrate sensitive information, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0212"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CSRF exploitation attempt from $splunk_server$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` uri_path=\"/*/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-25", "version": 2, "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "description": "The following analytic identifies attempts to exfiltrate data by executing a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages the `audit_searches` data source to detect suspicious `mstats` commands indicative of injection attempts. This activity is significant as it may indicate a phishing-based attack where an attacker compels a victim to initiate a malicious request, potentially leading to unauthorized data access. If confirmed malicious, this could result in significant data exfiltration, compromising sensitive information and impacting the organization's security posture.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential data exfiltration attack using SID query by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1567"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 2, "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "description": "The following analytic identifies improper TLS validation configuration on Splunk search heads and peers post version 9. It leverages REST API calls to retrieve server information and SSL configuration settings, checking fields like `sslVerifyServerCert` and `sslVerifyServerName`. This activity is significant for a SOC as improper TLS settings can expose the infrastructure to man-in-the-middle attacks and data breaches. If confirmed malicious, attackers could intercept or manipulate data, compromising the integrity and confidentiality of communications within the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1587.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "description": "The following analytic identifies Splunk forwarder connections that are not using TLS encryption. It leverages data from the `splunkd` logs, specifically looking for connections where the `ssl` field is set to \"false\". This activity is significant because unencrypted connections can expose sensitive data and allow unauthorized access, posing a security risk. If confirmed malicious, an attacker could exploit this vulnerability to download or publish forwarder bundles, potentially leading to arbitrary code execution and further compromise of the environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "message": "$hostname$ is not using TLS when forwarding data", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1587.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DoS Using Malformed SAML Request", "author": "Rod Soto", "date": "2024-05-29", "version": 2, "id": "8e8a86d5-f323-4567-95be-8e817e2baee6", "description": "The following analytic detects a denial of service (DoS) attempt using a malformed SAML request targeting the /saml/acs REST endpoint in Splunk Enterprise versions lower than 9.0.6 and 8.2.12. It leverages `splunkd` logs, specifically looking for error messages containing \"xpointer\" in the `expr` field. This activity is significant because it can cause the Splunk daemon to crash or hang, disrupting service availability. If confirmed malicious, this attack could lead to prolonged downtime, impacting the organization's ability to monitor and respond to security events.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0802"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible DoS attack against Splunk Server $splunk_server$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1498"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`", "how_to_implement": "To run this search, you must have access to the _internal index.", "known_false_positives": "This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_dos_using_malformed_saml_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DOS Via Dump SPL Command", "author": "Rod Soto", "date": "2024-05-03", "version": 2, "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "description": "The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack with Victim $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS via Malformed S2S Request", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 3, "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "description": "The following analytic identifies attempts to exploit a Denial of Service (DoS) vulnerability in the Splunk-to-Splunk (S2S) protocol by detecting malformed S2S requests. It leverages `splunkd` logs, specifically looking for \"ERROR\" level logs from the \"TcpInputProc\" component with the thread name \"FwdDataReceiverThread\" and the message \"Invalid _meta atom.\" This activity is significant as it targets a known vulnerability that could disrupt Splunk services. If confirmed malicious, this could lead to service outages, impacting the availability and reliability of Splunk for monitoring and analysis.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1498"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "45766810-dbb2-44d4-b889-b4ba3ee0d1f5", "description": "The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0710"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Denial of Service attack against $splunk_server$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webs` log_level=INFO message=\"ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_dos_via_post_request_datamodel_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_dos_via_post_request_datamodel_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webs", "definition": "index=_internal sourcetype=splunk_web_service", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DOS via printf search function", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-25", "version": 2, "id": "78b48d08-075c-4eac-bd07-e364c3780867", "description": "The following analytic identifies the use of the `printf` SPL function in Splunk searches, which can be exploited for a denial of service (DoS) attack. It detects this activity by querying the `audit_searches` data source for specific patterns involving `makeresults`, `eval`, `fieldformat`, and `printf` functions, excluding searches by the `splunk_system_user`. This activity is significant because it targets a known vulnerability in Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, potentially disrupting the availability of the Splunk instance. If confirmed malicious, this could lead to service outages and impact the monitoring and logging capabilities of the organization.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack against $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` \"*makeresults * eval * fieldformat *printf*\" user!=\"splunk_system_user\" search!=\"*audit_searches*\" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`", "how_to_implement": "This search requires the ability to search internal indexes.", "known_false_positives": "This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_dos_via_printf_search_function_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Edit User Privilege Escalation", "author": "Rod Soto, Chase Franklin", "date": "2024-05-15", "version": 2, "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "description": "The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as \"change_own_password\" and \"edit_password\" where the info field is \"granted\" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible attempt to abuse edit_user function by $user$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "description": "The following analytic identifies crashes in the Splunk search app caused by specially crafted ZIP files, affecting Universal Forwarder versions 8.1.11 and 8.2 versions below 8.2.7.1. It detects this activity by monitoring Universal Forwarder error logs for specific messages indicating invalid or binary file issues. This activity is significant because it can disrupt Splunk operations, leading to potential data loss or monitoring gaps. If confirmed malicious, this attack could result in a denial of service, hindering the organization's ability to monitor and respond to other security incidents effectively.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-10", "version": 2, "id": "8f0e8380-a835-4f2b-b749-9ce119364df0", "description": "The following analytic detects unauthorized attempts to reload Splunk KV Store collections via the REST API. It leverages internal index logs to identify POST requests to the `/servicesNS/nobody/search/admin/collections-conf/_reload` endpoint, focusing on status codes starting with '2'. This activity is significant as it may indicate improper permission handling, potentially leading to unauthorized deletion of KV Store collections. If confirmed malicious, this could result in data loss or unauthorized data manipulation, impacting the integrity and availability of critical Splunk data.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0105"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attempt to access KV Store collections at $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method=\"POST\" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter`", "how_to_implement": "Requires access to internal indexes and REST API enabled instances.", "known_false_positives": "This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_kv_store_incorrect_authorization_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-07-01", "version": 3, "id": "947d4d2e-1b64-41fc-b32a-736ddb88ce97", "description": "The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0108"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Windows Deserialization exploitation via irregular path file against $host$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunk_python` request_path=\"/*/app/search/C:\\\\Program\" *strings* | rex \"request_path=(?[^\\\"]+)\" | rex field=file_path \"[^\\\"]+/(?[^\\\"\\'\\s/\\\\\\\\]+)\" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter`", "how_to_implement": "Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.", "known_false_positives": "Irregular path with files that may be purposely called for benign reasons may produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_windows_deserialization_file_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "7f6a07bd-82ef-46b8-8eba-802278abd00e", "description": "The following analytic detects the creation of malformed Investigations in Splunk Enterprise Security (ES) versions lower than 7.1.2, which can lead to a denial of service (DoS). It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` with error statuses during investigation creation. This activity is significant as it can disrupt the functionality of the Investigations manager, hindering incident response efforts. If confirmed malicious, this could prevent security teams from accessing critical investigation data, severely impacting their ability to manage and respond to security incidents effectively.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0102"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Denial of Service Attack against Splunk ES Investigation Manager by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter`", "how_to_implement": "This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.", "known_false_positives": "The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "bb85b25e-2d6b-4e39-bd27-50db42edcb8f", "description": "The following analytic detects attempts to perform a denial of service (DoS) attack through investigation attachments in Splunk Enterprise Security (ES) versions below 7.1.2. It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` for error statuses related to investigation objects. This activity is significant because it can render the Investigation feature inaccessible, disrupting incident response and forensic analysis. If confirmed malicious, this attack could prevent security teams from effectively managing and investigating security incidents, leading to prolonged exposure and potential data breaches.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0101"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Denial of Service detected at Splunk ES affecting $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter`", "how_to_implement": "This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2.", "known_false_positives": "This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_es_dos_through_investigation_attachments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "author": "Rod Soto, Chase Franklin", "date": "2024-05-27", "version": 2, "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "description": "The following analytic identifies attempts to exploit an HTTP response splitting vulnerability via the rest SPL command in Splunk. It detects this activity by analyzing audit logs for specific search commands that include REST methods like POST, PUT, PATCH, or DELETE. This behavior is significant because it indicates a potential attempt to access restricted REST endpoints, which could lead to unauthorized access to sensitive information. If confirmed malicious, this activity could allow an attacker to access restricted content, such as password files, by injecting commands into HTTP requests.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "message": "Suspicious access by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027.006"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "author": "Chase Franklin, Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "08978eca-caff-44c1-84dc-53f17def4e14", "description": "The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-20", "version": 2, "id": "b7b82980-4a3e-412e-8661-4531d8758735", "description": "The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0111"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "version", "type": "Other", "role": ["Other"]}], "message": "Vulnerable $version$ of Splunk Add-on Builder found - Upgrade Immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/apps/local | search disabled=0 core=0 label=\"Splunk Add-on Builder\" | dedup label | search version < 4.1.4 | eval WarningMessage=\"Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111\" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter`", "how_to_implement": "This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed.", "known_false_positives": "This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_information_disclosure_in_splunk_add_on_builder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure on Account Login", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "2bae5d19-6d1b-4db0-82ab-0af5ac5f836c", "description": "This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server.", "references": ["https://advisory.splunk.com/SVD-2024-0716"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "Hostname", "role": ["Victim"]}], "message": "Possible user enumeration attack against $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=UiAuth status=failure action=login TcpChannelThread | stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_information_disclosure_on_account_login_filter`", "how_to_implement": "Requires access to internal indexes _internal.", "known_false_positives": "This is a hunting search and requires operator to search for large number of login failures from several users indicating possible user enumeration attempts. May capture genuine login failures.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_information_disclosure_on_account_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk list all nonstandard admin accounts", "author": "Rod Soto", "date": "2024-05-21", "version": 2, "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "description": "The following analytic identifies nonstandard Splunk accounts with administrative rights on the instance, excluding the default admin account. It uses REST API calls to retrieve user data and filters for accounts with admin capabilities. This activity is significant as unauthorized admin accounts can indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could leverage these accounts to execute commands, escalate privileges, or persist within the environment, posing a significant risk to the integrity and security of the Splunk instance.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential stored XSS attempt from $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "description": "The following analytic identifies low-privilege users attempting to view hashed Splunk passwords by querying the conf-user-seed REST endpoint. It leverages data from the `splunkd_web` logs, specifically monitoring access to the conf-user-seed endpoint. This activity is significant because it can indicate an attempt to escalate privileges by obtaining hashed credentials, potentially leading to admin account takeover. If confirmed malicious, this could allow an attacker to gain administrative control over the Splunk instance, compromising the entire environment's security.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempt to access Splunk hashed password file from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-22", "version": 2, "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "description": "The following analytic identifies path traversal attempts in the Splunk App for Lookup File Editing. It detects specially crafted web requests targeting lookup files by analyzing the `uri_query` field in the `_internal` index. This activity is significant because it allows low-privilege users to read and write to restricted areas of the Splunk installation directory, potentially accessing sensitive files like password hashes. If confirmed malicious, this could lead to unauthorized access, data breaches, and further exploitation of the Splunk environment.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "author": "Rod Soto", "date": "2024-05-20", "version": 2, "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "description": "The following analytic detects attempts to bypass URL validation in Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13 by targeting the vulnerable bootstrap version 2.3.1. It leverages `splunkd_web` logs, specifically monitoring GET requests to JavaScript files within the vulnerable bootstrap path. This activity is significant as it can allow a low-privileged user to perform path traversal, potentially accessing restricted and confidential information. If confirmed malicious, this could lead to unauthorized data access and compromise of sensitive information, including targeting admin users.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "author": "Lou Stella, Splunk", "date": "2024-05-23", "version": 2, "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "description": "The following analytic identifies unauthorized forwarder bundle downloads from Splunk Deployment Servers. It leverages native Splunk logs, specifically the `splunkd` component \"PackageDownloadRestHandler,\" to detect instances where an unauthenticated client may have downloaded forwarder bundles. This activity is significant because it could indicate a potential security breach, allowing unauthorized access to sensitive configurations and applications. If confirmed malicious, an attacker could gain insights into the deployment server's environment, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "$peer$ downloaded apps from $host$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "author": "Lou Stella, Splunk", "date": "2024-05-28", "version": 2, "id": "900892bf-70a9-4787-8c99-546dd98ce461", "description": "The following analytic identifies weak encryption configurations in Splunk related to TLS validation within the httplib and urllib Python libraries. It uses REST API calls to check specific configuration settings on the search head and its peers, ensuring compliance with security advisories. This activity is significant for a SOC as weak encryption can be exploited for protocol impersonation attacks, leading to unauthorized access. If confirmed malicious, attackers could intercept and manipulate data, compromising the integrity and confidentiality of the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1001.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "datamodel": ["Web"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "author": "Rod Soto, Splunk", "date": "2024-05-21", "version": 2, "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "description": "The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Splunk default issued certificate at $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1588.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "description": "The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when \"simpleRequest SSL certificate validation is enabled without hostname verification.\" This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Failed to validate certificate on $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1588.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "author": "Rod Soto", "date": "2024-05-15", "version": 2, "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "description": "The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RCE PDFgen Render", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "bc2b7437-0400-438b-9537-21ab5b7d2d53", "description": "This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0701"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_pdfgen _raw IN (\"*base64*\", \"*lambda*\", \"*system*\") | stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_pdfgen_render_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This search will hunt for exploitation attempts against Splunk PDFgen render function, and not all requests are necesarily malicious so there will be false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_pdfgen_render_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "8598f9de-bba8-42a4-8ef0-12e1adda4131", "description": "The following detection provides the ability to detect remote code execution attempts against a script named copybuckets present within the splunk_archiver application by calling this script as an external lookup.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0705"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attempt against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index=_internal sourcetype=\"splunk_archiver-too_small\" *.csv | rex field=_raw \"Invoking command:\\s(?.*)\" | stats min(_time) as firstTime max(_time) as lastTime values(command) as command values(severity) as severity by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_external_lookup_copybuckets_filter`", "how_to_implement": "Requires access to internal indexes", "known_false_positives": "An operator must identify elements indicatives of command execution requests by looking at regex data being extracted from the log. Not all the requests will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_external_lookup_copybuckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Serialized Session Payload", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-26", "version": 2, "id": "d1d8fda6-874a-400f-82cf-dcbb59d8e4db", "description": "The following analytic detects the execution of a specially crafted query using the 'collect' SPL command in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1. It leverages audit logs to identify searches containing both 'makeresults' and 'collect' commands. This activity is significant because it can indicate an attempt to serialize untrusted data, potentially leading to arbitrary code execution. If confirmed malicious, this could allow an attacker to execute code within the Splunk environment, leading to unauthorized access and control over the system.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential abuse of the 'collect' SPL command against $splunk_server$ by detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` file=* (search=\"*makeresults*\" AND search=\"*collect*\") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter`", "how_to_implement": "Requires access to the _audit index.", "known_false_positives": "There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_serialized_session_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "author": "Rod Soto", "date": "2024-05-16", "version": 2, "id": "baa41f09-df48-4375-8991-520beea161be", "description": "The following analytic identifies potential exploitation attempts against the Splunk Secure Gateway App's Mobile Alerts feature in Splunk versions 9.0, 8.2.x, and 8.1.x. It detects suspicious activity by monitoring requests to the mobile alerts endpoint using specific URI paths and query parameters. This activity is significant because an authenticated user could exploit this vulnerability to execute arbitrary operating system commands remotely. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation attempt from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RCE via User XSLT", "author": "Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk", "date": "2024-05-16", "version": 2, "id": "6cb7e011-55fb-48e3-a98d-164fa854e37e", "description": "The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` ((uri=\"*NO_BINARY_CHECK=1*\" AND \"*input.path=*.xsl*\") OR uri=\"*dispatch*.xsl*\") AND uri!= \"*splunkd_ui*\" | rex field=uri \"(?=\\s*([\\S\\s]+))\" | eval decoded_field=urldecode(string) | eval action=case(match(status,\"200\"),\"Allowed\",match(status,\"303|500|401|403|404|301|406\"),\"Blocked\",1=1,\"Unknown\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value=\"N/A\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field | `splunk_rce_via_user_xslt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "author": "Rod Soto, Chase Franklin", "date": "2024-05-23", "version": 2, "id": "d532d105-c63f-4049-a8c4-e249127ca425", "description": "The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential XSS exploitation against radio template by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "author": "Rod Soto", "date": "2024-05-23", "version": 2, "id": "182f9080-4137-4629-94ac-cb1083ac981a", "description": "The following analytic identifies attempts to exploit a reflected cross-site scripting (XSS) vulnerability on the app search table endpoint in Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12. It detects this activity by analyzing web request logs for specific dataset commands (`makeresults`, `count`, `eval`, `baseSPL`) within the `splunkd_web` index. This activity is significant because successful exploitation can lead to the execution of arbitrary commands on the Splunk platform, potentially compromising the entire instance. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and manipulate data within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0801"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible XSS attack against from $user$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` (dataset_commands=\"*makeresults*\" AND dataset_commands=\"*count*\" AND dataset_commands=\"*eval*\" AND dataset_commands=\"*baseSPL*\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_reflected_xss_on_app_search_table_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-07-01", "version": 4, "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "description": "The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture.", "references": ["https://advisory.splunk.com/advisories"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1548", "T1202"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats fillnull_value=\"N/A\" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command_20240601.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "fields_list": null}]}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "ed1209ef-228d-4dab-9856-be9369925a5c", "description": "This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0717"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *script* *eval* | stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_stored_xss_conf_web_settings_on_premises_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_conf_web_settings_on_premises_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "description": "The following analytic identifies attempts to exploit a stored cross-site scripting (XSS) vulnerability in Splunk Enterprise via the Data Model object name field. It detects this activity by analyzing web access logs (`splunkd_webx`) for specific URI patterns and non-null query parameters. This activity is significant because it allows authenticated users to inject and store malicious scripts, leading to persistent XSS attacks. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of other users, potentially leading to data theft, session hijacking, or further compromise of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1109", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri=/*/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "fd852b27-1882-4505-9f2c-64dfb96f4fc1", "description": "The following hunting detection provides fields related to /service/messages endpoints where specially crafted bulletin message can exploit stored XSS.", "references": ["https://advisory.splunk.com/SVD-2024-0713"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "message", "type": "Other", "role": ["Other"]}], "message": "Please investigate $message for possible XSS attack in bulletin message $message$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | search message=\"*http*\" | table id author message title | `splunk_stored_xss_via_specially_crafted_bulletin_message_filter`", "how_to_implement": "Need access to Splunk REST api data via search.", "known_false_positives": "Must look at messages field and find malicious suspicious characters or hyperlinks. Not all requests to this endpoint will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_stored_xss_via_specially_crafted_bulletin_message_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "d67594fe-c317-41b8-9319-ec8428d5c2ea", "description": "The following hunting search provides information on splunkd crash as a result of a Denial of Service Exploitation via null pointer references which targets 'services/cluster/config' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0702"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attack against $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"Segmentation fault\" \"POST /services/cluster/config\" | stats count min(_time) as firstTime max(_time) as lastTime by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_dos_via_null_pointer_references_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives. An operator needs to find proximity and detail of requests targeting cluster config endpoint and subsequent Segmentation fault in splunk crash log.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_unauthenticated_dos_via_null_pointer_references_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "author": "Rod Soto", "date": "2024-05-19", "version": 2, "id": "de3908dc-1298-446d-84b9-fa81d37e959b", "description": "The following analytic identifies potential log injection attempts into the Splunk server via specially crafted web URLs. It detects ANSI escape codes within the `uri_path` field of `splunkd_webx` logs. This activity is significant as it can lead to log file manipulation, potentially obfuscating malicious actions or misleading analysts. If confirmed malicious, an attacker could manipulate log files to hide their tracks or execute further attacks, compromising the integrity of the logging system and making incident response more challenging.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0606"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri_path IN (\"*\\x1B*\", \"*\\u001b*\", \"*\\033*\", \"*\\0x9*\", \"*\\0x8*\") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`", "how_to_implement": "This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.", "known_false_positives": "This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_unauthenticated_log_injection_web_service_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "e7c2b064-524e-4d65-8002-efce808567aa", "description": "This hunting search provides information on exploitation attempts against /modules/messaging endpoint, the exploit can be clearly seen as the ../ which signals an attempt to traverse target directories.", "references": ["https://advisory.splunk.com/SVD-2024-0711"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible directory traversal attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"/*/modules/messaging/*..*\" | stats min(_time) as firstTime max(_time) as lastTime values(method) as method values(uri_path) as uri_path by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_path_traversal_modules_messaging_filter`", "how_to_implement": "Only applies to Microsoft Windows installations of Splunk.", "known_false_positives": "May catch other exploitation attempts using path traversal related characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_unauthenticated_path_traversal_modules_messaging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "84afda04-0cd6-466b-869e-70d6407d0a34", "description": "This hunting search provides information on finding possible creation of unauthorized items against /experimental endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0715"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible unauthorized creation of experimental items from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` */experimental/* method=POST | stats count min(_time) as firstTime max(_time) as lastTime by clientip method uri_path uri status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthorized_experimental_items_creation_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "Not all requests are going to be malicious, there will be false positives, however operator must find suspicious items that might have been created by an unauthorized user.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_unauthorized_experimental_items_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthorized Notification Input by User", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "4b7f368f-4322-47f8-8363-2c466f0b7030", "description": "This hunting search provides information to track possible exploitation of a lower privilege user able to push notifications that may include malicious code as notifications for all users in Splunk.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0709"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Please review messages at $splunk_server for possible unauthorized notification input.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | table title message severity timeCreated_iso published splunk_server author | `splunk_unauthorized_notification_input_by_user_filter`", "how_to_implement": "Requires access to Splunk rest data.", "known_false_positives": "This search will produce false positives which may include benign notifications from other Splunk entities, attention to suspicious or anomalous elements in notifications helps identify actual exploitation of this vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_unauthorized_notification_input_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "author": "Rod Soto, Splunk", "date": "2024-05-28", "version": 2, "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "description": "The following analytic identifies user activity related to uploading lookup tables with unnecessary filename extensions in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It detects this activity by monitoring HTTP methods (POST, DELETE) and specific URI paths in the internal `splunkd_access` logs. This behavior is significant because it can indicate attempts to upload potentially malicious files disguised as lookup tables. If confirmed malicious, this activity could allow an attacker to execute unauthorized code or manipulate data within the Splunk environment, leading to potential data breaches or system compromise.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk User Enumeration Attempt", "author": "Lou Stella, Splunk", "date": "2024-05-21", "version": 3, "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "description": "The following analytic identifies attempts to enumerate usernames in Splunk by detecting multiple failed authentication attempts from the same source. It leverages data from the `_audit` index, specifically focusing on failed authentication events. This activity is significant for a SOC because it can indicate an attacker trying to discover valid usernames, which is a precursor to more targeted attacks like password spraying or brute force attempts. If confirmed malicious, this activity could lead to unauthorized access, compromising the security of the Splunk environment and potentially exposing sensitive data.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "risk_score": 40, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Highlighted JSON Events", "author": "Rod Soto, Splunk", "date": "2024-07-01", "version": 3, "id": "1030bc63-0b37-4ac9-9ae0-9361c955a3cc", "description": "The following analytic identifies potential exploitation of a Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise 9.1.2. It detects suspicious requests to the Splunk web GUI that may execute JavaScript within script tags. This detection leverages logs from the `splunkd_ui` data source, focusing on specific URI paths and HTTP methods. This activity is significant as it can allow attackers to execute arbitrary JavaScript, potentially accessing the API with the logged-in user's permissions. If the user is an admin, the attacker could create an admin account, leading to full control over the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1103"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation from $clientip$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` \"/*/splunkd/__raw/servicesNS/nobody/search/authentication/users\" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter`", "how_to_implement": "This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_in_highlighted_json_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Monitoring Console", "author": "Lou Stella, Splunk", "date": "2024-05-17", "version": 2, "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "description": "The following analytic identifies attempts to exploit a reflective Cross-Site Scripting (XSS) vulnerability in the Splunk Distributed Monitoring Console app. It detects GET requests with suspicious query parameters by analyzing `splunkd_web` logs in the _internal index. This activity is significant because it targets a known vulnerability (CVE-2022-27183) that could allow attackers to execute arbitrary scripts in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Save table dialog header in search page", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "description": "The following analytic identifies persistent cross-site scripting (XSS) attempts in the 'Save Table' dialog on the Splunk search page. It detects POST requests to the endpoint `/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model` containing potential XSS payloads. This activity is significant because it can allow a remote user with the \"power\" role to inject malicious scripts, leading to persistent XSS vulnerabilities. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of the affected user, potentially leading to data theft, session hijacking, or further exploitation within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1101", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation attempt from $clientip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` method=POST uri=/*/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "01e1e386-7656-4f36-a55a-52fe39b04a96", "description": "This is a composed hunting search that looks for POST requests to splunk_internal_metrics/data/ui/views which can be used to elevate privileges on the Splunk server via custom urls. The way to find privilege escalation is by looking at created users with high privielges after payload has been executed. This search looks at POST request and then looks at created users privileges.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack and privilege escalation via custom urls in dashboard against $host$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` method=POST /*/data/ui/views* | stats values(method) as method by _time index, sourcetype, host | eval event=\"post_request\" | append [| search `audittrail` action=\"edit_user\" operation=\"create\" | rex field=_raw \"object=\\\"(?.*)\\\"\" | stats count values(operation) as operation values(splunk_server) as splunk_server values(user) as user by _time index, sourcetype, host, newUser | eval event=\"create_user\"] | sort - _time | transaction host startswith=event=\"post_request\" endswith=event=\"create_user\" maxspan=10m | table _time index, sourcetype, host, method, user, splunk_server, operation, event, newUser eventcount | `splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter`", "how_to_implement": "Requires access to internal indexes _audit and _internal.", "known_false_positives": "This is a hunting search and requires operator to search for specific indicators of user creation in proximity to POST requests against vulnerable endpoint. It is not possible to detect payload during runtime.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "b0a67520-ae82-4cf6-b04e-9f6cce56830d", "description": "This is a hunting search that provides elements to find possible dashboards created with external URL references in order to elicit Server Side Request Forgery from /data/ui/views endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0714"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible SSRF attack from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` user=* uri_path=\"/*/manager/permissions/launcher/data/ui/views/*\" file=* | stats count min(_time) as firstTime max(_time) as lastTime by clientip user file host method uri_path uri_query | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_via_external_urls_in_dashboards_ssrf_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and requires an operator to search for specific indicators of Server Side Request Forgery attack against /data/ui/views. It is not possible to grab display the payloads of such requests, so this search provides users, ip addresses, requests, files, and queries that may indicate malicious intent. There will be false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_external_urls_in_dashboards_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS via View", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-13", "version": 2, "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "description": "The following analytic identifies potential Cross-Site Scripting (XSS) attempts via the 'layoutPanel' attribute in the 'module' tag within XML Views in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It leverages internal logs from \"splunk_web_service\" and \"splunk_python\" sourcetypes, focusing on messages containing \"loadParams.\" This activity is significant as it can lead to unauthorized script execution within the Splunk Web interface, potentially compromising the security of the instance. If confirmed malicious, attackers could execute arbitrary scripts, leading to data theft, session hijacking, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "message": "Potential stored XSS attempt via $fileName$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email Attachment Extensions", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 4, "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "description": "The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.'", "known_false_positives": "None identified", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}], "lookups": []}, {"name": "Suspicious Java Classes", "author": "Jose Hernandez, Splunk", "date": "2024-05-19", "version": 2, "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "description": "The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Servers Executing Suspicious Processes", "author": "David Dorsey, Splunk", "date": "2024-05-11", "version": 2, "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "description": "The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model \"Endpoint.Processes\" to search for specific process names such as \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 2, "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "description": "The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment.", "references": [], "tags": {"analytic_story": ["Compromised User Account", "Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 2, "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "description": "The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "f2361e9f-3928-496c-a556-120cd4223a65", "description": "The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 2, "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "description": "The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "description": "The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the \"system:anonymous\" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-29", "version": 2, "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "description": "The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is \"system:anonymous\", `verb` is \"list\", and `objectRef.resource` is \"pods\", with `requestURI` set to \"/api/v1/pods\". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "author": "Patrick Bareiss, Splunk", "date": "2024-05-24", "version": 3, "id": "b3424bbe-3204-4469-887b-ec144483a336", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `amazon_security_lake` api.operation=DescribeEventAggregates \"http_request.user_agent\"!=\"AWS Internal\" \"src_endpoint.domain\"!=\"health.amazonaws.com\" | eval time = time/pow(10,3) | `security_content_ctime(time)` | bin span=5m time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-05-29", "version": 4, "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "description": "The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudTrail logging for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "description": "The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "description": "The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "description": "The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "739ed682-27e9-4ba0-80e5-a91b97698213", "description": "The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), \"%H\"), weekday=strftime(time/pow(10,3), \"%A\") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "description": "The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_ecr_users_asl", "definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Delete Policy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "description": "The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted AWS Policies from IP address $src_ip$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Failure Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "8d12f268-c567-4557-9813-f8389e235c06", "description": "The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has had mulitple failures while attempting to delete groups from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Successful Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "description": "The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has sucessfully deleted a user group from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`", "how_to_implement": "You must install the Data Lake Federated Analytics App and ingest the logs into Splunk.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS New MFA Method Registered For User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "description": "The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new virtual device is added to user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 3, "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "description": "The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ami_attribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Concurrent Sessions From Different Ips", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Console Login Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "55349868-5583-466f-98ab-d3beb321961e", "description": "The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Create Policy Version to allow all resources", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 5, "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "description": "The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS CreateAccessKey", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS CreateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 3, "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "description": "The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Credential Access Failed Login", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "description": "The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has a login failure from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Credential Access GetPasswordData", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 2, "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "description": "The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Credential Access RDS Password reset", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-09", "version": 3, "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "description": "The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "database_id", "type": "Endpoint", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$database_id$ password has been reset from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "description": "The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "case_sensitive_match": null, "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "description": "The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "d308b0f1-edb7-4a62-a614-af321160710f", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Impair Security Services", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "description": "The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "author": "Bhavin Patel", "date": "2024-05-28", "version": 2, "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "description": "The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "description": "The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "description": "The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "aws detect attach to role policy", "author": "Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "description": "The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect permanent key creation", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "description": "The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect role creation", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "description": "The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts assume role abuse", "author": "Rod Soto, Splunk", "date": "2024-05-20", "version": 2, "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "description": "The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "aws detect sts get session token abuse", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "description": "The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-28", "version": 2, "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "description": "The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account is potentially compromised and user $user$ is trying to compromise other accounts.", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-18", "version": 3, "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "description": "The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Disable Bucket Versioning", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "657902a9-987d-4879-a1b2-e7a65512824b", "description": "The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS EC2 Snapshot Shared Externally", "author": "Bhavin Patel, Splunk", "date": "2024-05-07", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "description": "The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings High", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 3, "id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "description": "The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity high found in repository $repository$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "author": "Patrick Bareiss, Eric McGinnis Splunk", "date": "2024-05-15", "version": 3, "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "description": "The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Medium", "author": "Patrick Bareiss, Splunk", "date": "2024-05-06", "version": 3, "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "description": "The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "300688e4-365c-4486-a065-7c884462b31d", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail logs to identify `PutImage` events from the ECR service, filtering out known users. This activity is significant because container uploads should typically be performed by a limited set of authorized users. If confirmed malicious, this could indicate unauthorized access, potentially leading to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-08", "version": 2, "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "description": "The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "description": "The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as \"count,\" \"user_type,\" and \"user_arn\" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Exfiltration via Batch Service", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "description": "The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via Bucket Replication", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "description": "The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Exfiltration via DataSync Task", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "description": "The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "description": "The following analytic detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such as creating, describing, and modifying snapshot attributes. This activity is significant as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userName", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-25", "version": 2, "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "description": "The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS IAM AccessDenied Discovery Events", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "3e1f1568-9633-11eb-a69c-acde48001122", "description": "The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1580"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "description": "The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1580", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Delete Policy", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "description": "The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Failure Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "723b861a-92eb-11eb-93b8-acde48001122", "description": "The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Successful Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "e776d06c-9267-11eb-819b-acde48001122", "description": "The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Lambda UpdateFunctionCode", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "374832b1-3603-420c-b456-b373e24d34c0", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Multiple Failed MFA Requests For User", "author": "Bhavin Patel", "date": "2024-05-31", "version": 2, "id": "1fece617-e614-4329-9e61-3ba228c0f353", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel", "date": "2024-05-10", "version": 2, "id": "71e1fb89-dd5f-4691-8523-575420de4630", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip | `aws_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Network Access Control List Created with All Open Ports", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Network Access Control List Deleted", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-15", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "description": "The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS New MFA Method Registered For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Password Policy Changes", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "aee4a575-7064-4e60-b511-246f9baf9895", "description": "The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as \"UpdateAccountPasswordPolicy,\" \"GetAccountPasswordPolicy,\" and \"DeleteAccountPasswordPolicy.\" This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 3, "id": "85096389-a443-42df-b89d-200efbb1b560", "description": "The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "AWS SAML Access by Provider User and Principal", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "bbe23980-6019-11eb-ae93-0242ac130002", "description": "The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, `roleArn`, and `roleSessionName`. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim"]}], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS SAML Update identity provider", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 2, "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "description": "The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS SetDefaultPolicyVersion", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "description": "The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 3, "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "description": "The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"analytic_story": ["Compromised User Account", "Suspicious AWS Login Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Successful Single-Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "description": "The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 3, "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS UpdateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 4, "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "description": "The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Active Directory High Risk Sign-in", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 3, "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "description": "The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A high risk event was identified by Identify Protection for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "description": "The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the \"Add app role assignment to service principal\" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add app role assignment to service principal\" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Application Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the \"Add member to role\" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 3, "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "description": "The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "description": "The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update authorization policy\" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = \"[true]\" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "description": "The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs per user. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Device Code Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "description": "The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1528", "https://github.com/rvrsh3ll/TokenTactics", "https://embracethered.com/blog/posts/2022/device-code-phishing/", "https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html", "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Device code requested for $user$ from $src_ip$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528", "T1566", "T1566.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs \"properties.authenticationProtocol\"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_device_code_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD External Guest User Invited", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "description": "The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "External Guest User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Invite external user\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098.002", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Global Administrator Role Assigned", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 5, "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "description": "The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the \"Add member to role\" operation includes the \"Global Administrator\" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "Global Administrator Role assigned for User $user$ initiated by $initiatedBy$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add member to role\" properties.targetResources{}.modifiedProperties{}.newValue=\"\\\"Global Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "description": "The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to authenticate more than 20 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the \"Disable Strong Authentication\" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "description": "The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "description": "The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" (properties.authenticationRequirement=\"multiFactorAuthentication\" AND properties.status.additionalDetails=\"MFA required in Azure AD\") OR (properties.authenticationRequirement=singleFactorAuthentication AND \"properties.authenticationDetails{}.succeeded\"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "description": "The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on \"Sign-in activity\" events with error code 500121 and additional details indicating \"MFA denied; user declined the authentication.\" This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails=\"MFA denied; user declined the authentication\" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multiple_denied_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 4, "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" properties.status.errorCode=500121 properties.status.additionalDetails!=\"MFA denied; user declined the authentication\" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "description": "The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "32880707-f512-414e-bd7f-204c0c85b758", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "description": "The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New Custom Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-14", "version": 3, "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "description": "The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful \"Add unverified domain\" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new custom domain, $domain$ , was added by $user$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add unverified domain\" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New Federated Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "description": "The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful \"Set domain authentication\" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new federated domain, $domain$ , was added by $user$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1484", "T1484.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update user\" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New MFA Method Registered For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "2628b087-4189-403f-9044-87403f777a1b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "10ec9031-015b-4617-b453-c0c1ab729007", "description": "The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_oauth_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD PIM Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "description": "The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was assiged to $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD PIM Role Assignment Activated", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 4, "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "description": "The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the \"Add member to role completed (PIM activation)\" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 3, "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "description": "The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "description": "The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 3, "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "description": "The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the \"Add member to role\" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 3, "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "description": "The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Victim"]}], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Service Principal Authentication", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "description": "The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting \"Sign-in activity\" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Service Principal $user$ authenticated from $src_ip$", "risk_score": 25, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal Created", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "description": "The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the \"Add service principal\" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}], "message": "Service Principal named $displayName$ created by $user$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal New Client Credentials", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-11", "version": 3, "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "description": "The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the \"Update application*Certificates and secrets management\" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "New credentials added for Service Principal by $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal Owner Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 4, "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "description": "The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add owner to application\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful Authentication From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 4, "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "description": "The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1110", "https://attack.mitre.org/techniques/T1110.001", "https://attack.mitre.org/techniques/T1110.003"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful PowerShell Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 3, "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is \"Microsoft Azure PowerShell.\" This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ using PowerShell.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful Single-Factor Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "a560e7f6-1711-4353-885b-40be53101fcd", "description": "The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Administrator $user$ consented an OAuth application for the tenant.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "description": "The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "description": "The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "UPDATE_KNOWN_FALSE_POSITIVES", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied consent for an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Users may deny consent for legitimate applications by mistake, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User Enabled And Password Reset", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 3, "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "description": "The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` (operationName=\"Enable account\" OR operationName=\"Reset password (by admin)\" OR operationName=\"Update user\") | transaction user startsWith=(operationName=\"Enable account\") endsWith=(operationName=\"Reset password (by admin)\") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "description": "The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the \"Update user\" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Update user\" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Automation Account Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "860902fd-2e76-46b3-b050-ba548dab576c", "description": "The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation account $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1136", "T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Automation Runbook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "description": "The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation Runbook $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1136", "T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Runbook Webhook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 4, "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "description": "The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the \"Create or Update an Azure Automation webhook\" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Runbook Webhook $object$ was created by $user$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Circle CI Disable Security Job", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "description": "The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1554"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Circle CI Disable Security Step", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "description": "The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security step $mandatory_step$ in job $job_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1554"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 2, "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "description": "The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "case_sensitive_match": null, "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "description": "The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating a new instance $dest$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "author": "David Dorsey, Splunk", "date": "2024-05-10", "version": 2, "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "description": "The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "author": "David Dorsey, Splunk", "date": "2024-05-30", "version": 2, "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "description": "The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 2, "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "description": "The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 2, "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "description": "The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "User $user$ is modifying an instance $object_id$ for the first time.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "description": "The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "94994255-3acf-4213-9b3f-0494df03bb31", "description": "The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | `security_content_ctime(firstTime)` | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "description": "The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-17", "version": 2, "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "description": "The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Security Groups Modifications by User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 2, "id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "description": "The following analytic identifies unusual modifications to security groups in your cloud environment by users, focusing on actions such as modifications, deletions, or creations over 30-minute intervals. It leverages cloud infrastructure logs and calculates the standard deviation for each user, using the 3-sigma rule to detect anomalies. This activity is significant as it may indicate a compromised account or insider threat. If confirmed malicious, attackers could alter security group configurations, potentially exposing sensitive resources or disrupting services.", "references": ["https://attack.mitre.org/techniques/T1578/005/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unsual number cloud security group modifications detected by user - $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1578.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = \"security_group\" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name(\"All_Changes\")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`", "how_to_implement": "This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment.", "known_false_positives": "It is possible that legitimate user/admin may modify a number of security groups", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_security_groups_modifications_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by New User", "author": "Rico Valdez, Splunk", "date": "2024-05-28", "version": 4, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "description": "The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console for the first time", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1552"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New City", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-25", "version": 3, "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "description": "The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Country", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-16", "version": 3, "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "description": "The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Region", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-18", "version": 3, "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "description": "The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect GCP Storage access from a new IP", "author": "Shannon Davis, Splunk", "date": "2024-05-14", "version": 2, "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "description": "The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "remote_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect New Open GCP Storage Buckets", "author": "Shannon Davis, Splunk", "date": "2024-05-17", "version": 2, "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "description": "The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect New Open S3 buckets", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "description": "The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "description": "The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to \"AuthenticatedUsers\" or \"AllUsers.\" This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect S3 access from a new IP", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "e6f1bb1b-f441-492b-9126-902acda217da", "description": "The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "bucketName", "type": "Other", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "New S3 access from a new IP - $src_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Spike in AWS Security Hub alerts for user - $user$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "description": "The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "resourceId", "type": "Other", "role": ["Victim"]}], "message": "Blocked outbound traffic from your AWS", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in S3 Bucket deletion", "author": "Bhavin Patel, Splunk", "date": "2024-05-03", "version": 2, "id": "e733a326-59d2-446d-b8db-14a17151aa68", "description": "The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "description": "The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Detect gcploit framework", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "description": "The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Kubernetes cluster pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 2, "id": "19b53215-4a16-405b-8087-9e6acf619842", "description": "The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "description": "The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $actor.email$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "description": "The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple Failed MFA requests for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "description": "The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Successful Single-Factor Authentication", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "description": "The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "description": "The following analytic identifies a single source IP failing to authenticate into Google Workspace with multiple valid users, potentially indicating a Password Spraying attack. It uses Google Workspace login failure events and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Gdrive suspicious file sharing", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "a7131dae-34e3-11ec-a2de-acde48001122", "description": "The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"analytic_story": ["Data Exfiltration", "Spearphishing Attachments"], "asset_type": "GDrive", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GitHub Actions Disable Security Workflow", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 2, "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "description": "The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.002", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Github Commit Changes In Master", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "description": "The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to main branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1199"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "Admin can do changes directly to master branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Github Commit In Develop", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "description": "The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to develop branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1199"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GitHub Dependabot Alert", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "05032b04-4469-4034-9df7-05f607d75cba", "description": "The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the \"create\" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.001", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GitHub Pull Request from Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "description": "The following analytic detects pull requests from unknown users on GitHub. It uses a Splunk query to identify pull requests where the user ID is not specified and cross-references these with a known users lookup table. This activity is significant because pull requests from unknown users can introduce malicious code or unauthorized changes to repositories. If confirmed malicious, this could lead to unauthorized code changes, data breaches, or other security incidents. Immediate steps include reviewing the author's name, repository, head reference, and commit message, and investigating any related artifacts and processes.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.001", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Drive Share In External Email", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "description": "The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1567.002", "T1567"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GSuite Email Suspicious Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "6d663014-fe92-11eb-ab07-acde48001122", "description": "The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "Email Address", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "description": "The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8630aa22-042b-11ec-af39-acde48001122", "description": "The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-10", "version": 3, "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "description": "The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_domain_list", "type": "Email Address", "role": ["Victim"]}, {"name": "dest_domain", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious email from $src_domain_list$ to $dest_domain$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite suspicious calendar invite", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-21", "version": 2, "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "description": "The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "email", "type": "Email Address", "role": ["Attacker"]}], "message": "Gsuite suspicious calendar invite sent by $email$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Suspicious Shared File Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "07eed200-03f5-11ec-98fb-acde48001122", "description": "The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like \"dhl,\" \"ups,\" \"invoice,\" and \"shipment.\" This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "High Number of Login Failures from a single source", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "description": "The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.", "references": ["https://attack.mitre.org/techniques/T1110/001/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1110.001", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.", "known_false_positives": "An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual Location", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests by country. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_locations", "definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 2, "id": "096ab390-05ca-462c-884e-343acd5b9240", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user agents. This activity is significant for a SOC because Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of critical information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_agents", "definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests and user groups. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_groups", "definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_names", "definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Access Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "2f4abe6d-5991-464d-8216-f90f42999764", "description": "The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit logs for repeated failed access attempts or unusual API requests. This activity is significant for a SOC as it may indicate an attacker's preliminary reconnaissance to gather information about the system. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, posing a severe security risk.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_access_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-17", "version": 2, "id": "10442d8b-0701-4c25-911d-d67b906e713c", "description": "The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + \":\" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + \":\" + 'dest.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "description": "The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$$|-[abcdef0-9]{8,10}-\\w{5}$$\", \"\") | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + \":\" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_outbound_network_io_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO", "collection": "k8s_container_network_io_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "author": "Matthew Moore, Splunk", "date": "2024-05-26", "version": 2, "id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "description": "The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio", "collection": "k8s_container_network_io_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "description": "The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + \":\" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + \":\" + 'source.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_outbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "author": "Matthew Moore, Splunk", "date": "2024-05-24", "version": 2, "id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "description": "The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + \":\" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + \":\" + 'dest.workload.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_traffic_on_network_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "author": "Rod Soto, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "042a3d32-8318-4763-9679-09db2644a8f2", "description": "The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.", "references": [], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` user.username=\"system:anonymous\" user.groups{} IN (\"system:unauthenticated\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Create or Update Privileged Pod", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "description": "The following analytic detects the creation or update of privileged pods in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for pod configurations that include root privileges. This behavior is significant for a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, data breaches, and service disruptions, posing a severe threat to the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes privileged pod created by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"privileged\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_create_or_update_privileged_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Cron Job Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "description": "The following analytic detects the creation of a Kubernetes cron job, which is a task scheduled to run automatically at specified intervals. It identifies this activity by monitoring Kubernetes Audit logs for the creation events of cron jobs. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes cron job creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1053.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create \"objectRef.resource\"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_cron_job_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes DaemonSet Deployed", "author": "Patrick Bareiss, Splunk", "date": "2024-05-16", "version": 2, "id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "description": "The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. This behavior is identified by monitoring Kubernetes Audit logs for the creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, making them a potential vector for persistent access. This activity is significant for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes infrastructure. If confirmed malicious, it could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "DaemonSet deployed to Kubernetes by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_daemonset_deployed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Falco Shell Spawned", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "description": "The following analytic detects instances where a shell is spawned within a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment and flags when a shell is spawned. This activity is significant for a SOC as it may indicate unauthorized access, allowing an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges. If confirmed malicious, this could lead to data breaches, service disruptions, or unauthorized access to sensitive information, severely impacting the Kubernetes infrastructure's integrity and security.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A shell is spawned in the container $container_name$ by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_container_falco` \"A shell was spawned in a container\" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter`", "how_to_implement": "The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_container_falco", "definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_falco_shell_spawned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen TCP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-15", "version": 2, "id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "description": "The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen TCP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_tcp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen UDP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "description": "The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen UDP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_udp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Nginx Ingress LFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "description": "The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Local File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "fields_list": null}]}, {"name": "Kubernetes Nginx Ingress RFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "description": "The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Remote File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes Node Port Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "description": "The following analytic detects the creation of a Kubernetes NodePort service, which exposes a service to the external network. It identifies this activity by monitoring Kubernetes Audit logs for the creation of NodePort services. This behavior is significant for a SOC as it could allow an attacker to access internal services, posing a threat to the Kubernetes infrastructure's integrity and security. If confirmed malicious, this activity could lead to data breaches, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes node port creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_node_port_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod Created in Default Namespace", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "description": "The following analytic detects the creation of Kubernetes pods in the default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs to identify pod creation events within these specific namespaces. This activity is significant for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Unauthorized pod creation in these namespaces can suggest a successful cluster breach, potentially leading to privilege escalation, persistent access, or further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes Pod Created in Default Namespace by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN (\"default\", \"kube-system\", \"kube-public\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_created_in_default_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod With Host Network Attachment", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 2, "id": "cce357cf-43a4-494a-814b-67cea90fe990", "description": "The following analytic detects the creation or update of a Kubernetes pod with host network attachment. It leverages Kubernetes Audit logs to identify pods configured with host network settings. This activity is significant for a SOC as it could allow an attacker to monitor all network traffic on the node, potentially capturing sensitive information and escalating privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, and service disruptions, severely impacting the security and integrity of the Kubernetes environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes pod with host network attachment from user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"hostNetwork\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_with_host_network_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "description": "The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Container Image Name on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"True\" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"false\" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current=\"true\" AND current!=\"false\" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_container_image_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Process", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "description": "The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Process on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current=\"True\" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_previously_unseen_process_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process Running From New Path", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "description": "The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process Running From New Path on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current=\"True\" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_process_running_from_new_path_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_running_from_new_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "description": "The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Anomalous Resource Utilisation on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_anomalous_resource_utilisation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource", "collection": "k8s_process_resource_baseline", "case_sensitive_match": null, "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "author": "Matthew Moore, Splunk", "date": "2024-05-30", "version": 2, "id": "0d42b295-0f1f-4183-b75e-377975f47c65", "description": "The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Resource Ratio Anomalies on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_resource_ratio_anomalies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios", "collection": "k8s_process_resource_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen"}]}, {"name": "Kubernetes Scanner Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4890cd6b-0112-4974-a272-c5c153aee551", "description": "The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Scanner image pulled on host $host$", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "author": "Patrick Bareiss, Splunk", "date": "2024-05-10", "version": 2, "id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "description": "The following analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues. If confirmed malicious, such scanning could lead to unauthorized access, data breaches, or further exploitation of the Kubernetes infrastructure, compromising the security and integrity of the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter`", "how_to_implement": "You must ingest Kubernetes audit logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanning_by_unauthenticated_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "author": "Matthew Moore, Splunk", "date": "2024-05-11", "version": 2, "id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell with cpu activity running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Suspicious Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "description": "The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` requestObject.message=\"Pulling image*\" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_images", "definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_suspicious_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Unauthorized Access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-21", "version": 2, "id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "description": "The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Unauthorized access to Kubernetes from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_unauthorized_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Add App Role Assignment Grant User", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 3, "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the \"Add app role assignment grant to user\" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ has created a new federation setting $modified_properties_name$ on $dest$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Added Service Principal", "author": "Rod Soto, Splunk", "date": "2024-05-27", "version": 4, "id": "1668812a-6047-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "description": "The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment to service principal.\" | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = \"ServicePrincipal\" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Advanced Audit Disabled", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "description": "The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.", "references": ["https://attack.mitre.org/techniques/T1562/008/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Advanced auditing for user $object$ was disabled by $user$", "risk_score": 32, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Change user license.\" | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, \"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\" \"DisabledPlans=\\[(?P[^\\]]+)\\]\" | search DisabledPlans IN (\"*M365_ADVANCED_AUDITING*\") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_advanced_audit_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Application Registration Owner Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "c068d53f-6aaa-4558-8011-3734df878266", "description": "The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $app_displayName$ was assigned a new owner $object$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Application owners may be added for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_application_registration_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "description": "The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://www.mandiant.com/media/17656"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "target_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted the ApplicationImpersonation role to $target_user$", "risk_score": 56, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-ManagementRoleAssignment\" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_applicationimpersonation_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "12a23592-e3da-4344-8545-205d3290647c", "description": "The following analytic detects when the \"risk-based step-up consent\" security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Risk-based step-up consent security setting was disabled by $user$", "risk_score": 30, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update authorization policy.\" | eval index_number = if(mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like \"%true%\" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Bypass MFA via Trusted IP", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 4, "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "description": "The following analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. This activity is significant because adding trusted IPs can weaken the security posture by bypassing MFA, which is a critical security control. If confirmed malicious, this could lead to unauthorized access, compromising sensitive information and systems. Immediate investigation is required to validate the legitimacy of the IP addition.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/", "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Compliance Content Search Exported", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "description": "The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search export was started by $user$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=\"SearchExported\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searche exports may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_compliance_content_search_exported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Compliance Content Search Started", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "description": "The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search was started by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searches may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_compliance_content_search_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "description": "The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ips", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has logged in with the same session id from more than one unique IP address", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Disable MFA", "author": "Rod Soto, Splunk", "date": "2024-05-11", "version": 3, "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "description": "The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account.", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has executed an operation $action$ for user $user$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "2246c142-a678-45f8-8546-aaed7e0efd30", "description": "The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission", "https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Elevated mailbox permissions were assigned on $dest_user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_elevated_mailbox_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Excessive Authentication Failures Alert", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 3, "id": "d441364c-349c-453b-b55f-12eccab67cf9", "description": "The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Excessive SSO logon errors", "author": "Rod Soto, Splunk", "date": "2024-05-17", "version": 4, "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "description": "The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "6c382336-22b8-4023-9b80-1689e799f21f", "description": "The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application's legitimacy and assess potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests file-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Files.Read\", \"Files.Read.All\", \"Files.ReadWrite\", \"Files.ReadWrite.All\", \"Files.ReadWrite.AppFolder\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require file permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_file_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098.002", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 High Number Of Failed Authentications for User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "31641378-2fa9-42b1-948e-25e281cb98f7", "description": "The following analytic identifies an O365 account experiencing more than 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, specifically \"UserLoginFailed\" events, to monitor and flag accounts exceeding this threshold. This activity is significant as it may indicate a brute force attack or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to authenticate more than 10 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Although unusual, users who have lost their passwords may trigger this detection. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "O365 High Privilege Role Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "e78a1037-4548-4072-bb1b-ad99ae416426", "description": "The following analytic detects when high-privilege roles such as \"Exchange Administrator,\" \"SharePoint Administrator,\" or \"Global Administrator\" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide", "https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted high privilege roles to $ObjectId$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Add member to role.\" Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN (\"29232cdf-9323-42fd-ade2-1d097af3e4de\", \"f28a1f50-f6e7-4571-818b-6a12f2af6b6c\", \"62e90394-69f5-4237-9190-012177145e10\") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privilege roles may be assigned for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_high_privilege_role_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "fddad083-cdf5-419d-83c6-baa85e329595", "description": "The following analytic identifies instances where a user grants consent to an application requesting mail-related permissions within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to application permissions and user consent actions. This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing, if malicious applications gain access. If confirmed malicious, this could lead to unauthorized data access, email forwarding, or sending malicious emails from the compromised account. Validating the legitimacy of the application and consent context is crucial to prevent data breaches.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests mail-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Mail.Read\", \"Mail.ReadBasic\", \"Mail.ReadWrite\", \"Mail.Read.Shared\", \"Mail.ReadWrite.Shared\", \"Mail.Send\", \"Mail.Send.Shared\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mail_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "description": "The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/", "https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Email forwarding configured by $user$ on mailbox $ObjectId$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', \"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Email forwarding may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_email_forwarding_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "1435475e-2128-4417-a34f-59770733b0d5", "description": "The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946", "https://learn.microsoft.com/en-us/purview/audit-mailboxes"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_folder_read_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "cd15c0a8-470e-4b12-9517-046e4927db30", "description": "The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange (Operation=\"Set-MailboxFolderPermission\" OR Operation=\"Add-MailboxFolderPermission\" ) | eval isReadRole=if(match(AccessRights, \"^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$\"), \"true\", \"false\") | search isReadRole=\"true\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_folder_read_permission_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "21421896-a692-4594-9888-5faeb8a53106", "description": "The following analytic detects instances where the inbox folder of an Office 365 mailbox is shared with all users within the tenant. It leverages Office 365 management activity events to identify when the 'Inbox' folder permissions are modified to include 'Everyone' with read rights. This activity is significant as it represents a potential security risk, allowing unauthorized access to sensitive emails. If confirmed malicious, this could lead to data breaches, exfiltration of confidential information, and further compromise through spear-phishing or other malicious activities based on the accessed email content.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/", "https://learn.microsoft.com/en-us/purview/audit-mailboxes", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "MailboxOwnerUPN", "type": "User", "role": ["Victim"]}], "message": "Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | search isReadRole = \"true\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_inbox_folder_shared_with_all_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Read Access Granted to Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "description": "The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://graphpermissions.merill.net/permission/Mail.Read"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $object$ was grandes mailbox read access by $user$", "risk_score": 45, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114", "T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, \"^\\[\\s*\", \"\") | eval json_data=replace(json_data, \"\\s*\\]$\", \"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_read_access_granted_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "description": "The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "description": "The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "description": "The following analytic identifies potential \"MFA fatigue\" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requestes for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "description": "The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, \"^Client=WebServices;ExchangeWebServices\"), 1, 0) | search (AppId=\"00000003-0000-0000-c000-000000000000\" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_mailboxes_accessed_via_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "description": "The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"ServicePrincipal\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"User\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "description": "The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', \"ForwardTo\") | eval match2=mvfind('Parameters{}.Name', \"ForwardAsAttachmentTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectTo\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_email_forwarding_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Enabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', \"ForwardToRecipientsAction\") | eval match2=mvfind('OperationProperties{}.Value', \"ForwardAsAttachmentToRecipientsAction\") | eval match3=mvfind('OperationProperties{}.Value', \"RedirectToRecipientsAction\") | eval index = mvfind('OperationProperties{}.Name', \"ServerRule\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted=\"*@*.*\" | eval ForwardTo=if(match(valueExtracted, \"^[^@]+@[^@]+\\\\.[^@]+$\"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_email_forwarding_rule_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Federated Domain Added", "author": "Rod Soto, Mauricio Velazco Splunk", "date": "2024-05-28", "version": 4, "id": "e155876a-6048-11eb-ae93-0242ac130002", "description": "The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation=\"Add-FederatedDomain\". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has added a new federated domain $new_value$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "description": "The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the \"New-TransportRule\" operation and parameters like \"BlindCopyTo\", \"CopyTo\", and \"RedirectMessageTo\". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new forwarding mailflow rule was created by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-TransportRule\" | eval match1=mvfind('Parameters{}.Name', \"BlindCopyTo\") | eval match2=mvfind('Parameters{}.Name', \"CopyTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectMessageTo\") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!=\"\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Forwarding mail flow rules may be created for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_forwarding_mailflow_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was added for $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update user.\" | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString=\"^Client=WebServices;ExchangeWebServices\" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_oauth_app_mailbox_access_via_ews_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization’s network.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_oauth_app_mailbox_access_via_graph_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "description": "The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 PST export alert", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "description": "The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name \"eDiscovery search started or exported.\" This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Victim"]}], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Security And Compliance Alert Triggered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 2, "id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "description": "The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide", "https://learn.microsoft.com/en-us/purview/alert-policies"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Security and Compliance triggered an alert for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_security_and_compliance_alert_triggered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Service Principal New Client Credentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a1b229e9-d962-4222-8c62-905a8a010453", "description": "The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "New credentials added for Service Principal $object$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application*Certificates and secrets management \" | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The $object$ application registration was granted tenant wide admin consent.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Consent to application.\" | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "242e4d30-cb59-4051-b0cf-58895e218f40", "description": "The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "O365 has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = \"Risky application detected\" | rex field=permissions \"Scope: (?[^,]+)\" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "2d8679ef-b075-46be-8059-c25116cb1072", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ denifed consent for an OAuth application.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_graph", "definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "author": "Bhavin Patel", "date": "2024-05-24", "version": 2, "id": "161bc0ca-4651-4c13-9c27-27770660cf67", "description": "The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Amazon Elastic Container Registry", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}], "message": "Correlation triggered for repository $risk_object$", "risk_score": 70, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Dev Sec Ops\" All_Risk.risk_object_type = \"other\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`", "how_to_implement": "Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security.", "known_false_positives": "Unknown", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "risk_rule_for_dev_sec_ops_by_repository_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "ASL AWS CreateAccessKey", "author": "Patrick Bareiss, Splunk", "date": "2022-05-23", "version": 1, "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2023-06-01", "version": 1, "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "user $identity.user.name$ has excessive number of api calls.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Password Policy Changes", "author": "Patrick Bareiss, Splunk", "date": "2023-05-22", "version": 1, "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clients Connecting to Multiple DNS Servers", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Distinct DNS Connections, **Field:** dest_count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Cloud Network Access Control List Deleted", "author": "Peter Gael, Splunk", "date": "2020-09-08", "version": 1, "id": "021abc51-1862-41dd-ad43-43c739c0a983", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Correlation by Repository and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "description": "This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Correlation by User and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "description": "The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Activity Related to Pass the Hash Attacks", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2020-10-15", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect API activity from users without MFA", "author": "Bhavin Patel, Splunk", "date": "2018-05-17", "version": 1, "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** AWS User ARN, **Field:** userIdentity.arn\n* **Label:** AWS User Type, **Field:** userIdentity.type\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** First Time, **Field:** firstTime\n* **Label:** Last Time, **Field:** lastTime\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "references": [], "tags": {"analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app.\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "datamodel": ["Network_Resolution", "Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Long DNS TXT Record Response", "author": "Rico Valdez, Splunk", "date": "2020-07-21", "version": 2, "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Mimikatz Using Loaded Images", "author": "Patrick Bareiss, Splunk", "date": "2019-12-03", "version": 1, "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "author": "Rico Valdez, Splunk", "date": "2019-02-27", "version": 2, "id": "98917be2-bfc8-475a-8618-a9bb06575188", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "references": [], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect new API calls from user roles", "author": "Bhavin Patel, Splunk", "date": "2018-04-16", "version": 1, "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect new user AWS Console Login", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Spike in AWS API Activity", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** Number of API Calls, **Field:** numberOfApiCalls\n* **Label:** Unique API Calls, **Field:** uniqueApisCalled\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "None.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 1, "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}], "lookups": []}, {"name": "Detect Spike in Security Group Activity", "author": "Bhavin Patel, Splunk", "date": "2018-04-18", "version": 1, "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}], "lookups": []}, {"name": "Detect USB device insertion", "author": "Bhavin Patel, Splunk", "date": "2017-11-27", "version": 1, "id": "104658f4-afdc-499f-9719-17a43f9826f5", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "datamodel": ["Change", "Change_Analysis"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect web traffic to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "description": "This search looks for web connections to dynamic DNS providers.", "references": [], "tags": {"analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "datamodel": ["Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detection of DNS Tunnels", "author": "Bhavin Patel, Splunk", "date": "2022-02-15", "version": 2, "id": "104658f4-afdc-499f-9719-17a43f9826f4", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "references": [], "tags": {"analytic_story": ["Command And Control", "Data Protection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS record changed", "author": "Jose Hernandez, Splunk", "date": "2020-07-21", "version": 3, "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "references": [], "tags": {"analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\".\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via procdump Rename", "author": "Michael Haag, Splunk", "date": "2021-02-01", "version": 1, "id": "21276daa-663d-11eb-ae93-0242ac130002", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "EC2 Instance Modified With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "author": "Bhavin Patel, Splunk", "date": "2018-02-23", "version": 1, "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "author": "David Dorsey, Splunk", "date": "2018-03-12", "version": 1, "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2020-02-07", "version": 2, "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Execution of File With Spaces Before Extension", "author": "Rico Valdez, Splunk", "date": "2020-11-19", "version": 3, "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "references": [], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Extended Period Without Successful Netbackup Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "First time seen command line argument", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 5, "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GCP Detect accounts with high risk roles by project", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "27af8c15-38b0-4408-b339-920170724adb", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Detect high risk permissions by resource and account", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "gcp detect oauth token abuse", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Identify New User Accounts", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "references": [], "tags": {"analytic_story": [], "asset_type": "Domain Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes AWS detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "019690d7-420f-4da0-b320-f27b09961514", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure pod scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-19", "version": 1, "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-07-10", "version": 1, "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a46923f6-36b9-4806-a681-31f314907c30", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor DNS For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2017-09-23", "version": 1, "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "author": "Michael Haag, Mauricio Velazco, Rico Valdez, Splunk", "date": "2024-02-29", "version": 3, "id": "19cba45f-cad3-4032-8911-0c09e0444552", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS", "https://developer.okta.com/docs/reference/api/system-log/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multple user accounts have failed to authenticate from a single IP.", "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious Admin Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.003", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious Rights Delegation", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-15", "version": 2, "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access.", "references": ["https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://attack.mitre.org/techniques/T1098/002/", "https://attack.mitre.org/techniques/T1114/002/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114", "T1098.002", "T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious User Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the \"Identity\" field as \"src_user\" and searches for entries where the \"ForwardingSmtpAddress\" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.003", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Account Locked Out", "author": "Michael Haag, Splunk", "date": "2022-09-21", "version": 1, "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_user$ account has been locked out.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Account Lockout Events", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-19", "version": 2, "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following user $src_user$ has locked out their account within Okta.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Failed SSO Attempts", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-21", "version": 3, "id": "371a6545-2618-4032-ad84-93386b8698c5", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ failed SSO authentication to the app.", "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "632663b0-4562-4aad-abe9-9f621a049738", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Two or More Rejected Okta Pushes", "author": "Michael Haag, Marissa Bower, Splunk", "date": "2022-09-27", "version": 1, "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Open Redirect in Splunk Web", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Osquery pack - ColdRoot detection", "author": "Rico Valdez, Splunk", "date": "2019-01-29", "version": 1, "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes created by netsh", "author": "Bhavin Patel, Splunk", "date": "2020-11-23", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "references": [], "tags": {"analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Prohibited Software On Endpoint", "author": "David Dorsey, Splunk", "date": "2019-10-11", "version": 2, "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "prohibited_softwares", "definition": "search *", "description": "This macro is deprecated. Update this macro to look for prohibited softwares in your environment"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Reg exe used to hide files directories via registry keys", "author": "Bhavin Patel, Splunk", "date": "2019-02-27", "version": 2, "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None at the moment", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Registry Key modifications", "author": "Bhavin Patel, Splunk", "date": "2020-03-02", "version": 3, "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "description": "This search monitors for remote modifications to registry keys.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled tasks used in BadRabbit ransomware", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "references": [], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No known false positives", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Spectre and Meltdown Vulnerable Systems", "author": "David Dorsey, Splunk", "date": "2017-01-07", "version": 1, "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "references": [], "tags": {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "datamodel": ["Vulnerabilities"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Information Disclosure", "author": "David Dorsey, Splunk", "date": "2018-06-14", "version": 1, "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Changes to File Associations", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 4, "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email - UBA Anomaly", "author": "Bhavin Patel, Splunk", "date": "2020-07-22", "version": 3, "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "references": [], "tags": {"analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "datamodel": ["Email", "UEBA"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious File Write", "author": "Rico Valdez, Splunk", "date": "2019-04-25", "version": 3, "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "description": "The search looks for files created with names that have been linked to malicious activity.", "references": [], "tags": {"analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}], "lookups": []}, {"name": "Suspicious Powershell Command-Line Arguments", "author": "David Dorsey, Splunk", "date": "2021-01-19", "version": 6, "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "references": [], "tags": {"analytic_story": ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 Rename", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 5, "id": "7360137f-abad-473e-8189-acbdaa34d114", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1036", "T1218.011", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to System Volume Information", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 2, "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Uncommon Processes On Endpoint", "author": "David Dorsey, Splunk", "date": "2020-07-22", "version": 4, "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "references": [], "tags": {"analytic_story": ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsigned Image Loaded by LSASS", "author": "Patrick Bareiss, Splunk", "date": "2019-12-06", "version": 1, "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsuccessful Netbackup backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "description": "This search gives you the hosts where a backup was attempted and then failed.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Account Harvesting", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "description": "This search is used to identify user accounts that share a common password.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows connhost exe started forcefully", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 3, "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows hosts file modification", "author": "Rico Valdez, Splunk", "date": "2018-11-02", "version": 1, "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "references": [], "tags": {"analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "3CX Supply Chain Attack Network Indicators", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "description": "The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "datamodel": ["Network_Resolution"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "7zip CommandLine To SMB Share Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "01d29b48-ff6f-11eb-b81e-acde48001123", "description": "The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Access LSASS Memory for Dump Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 3, "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "description": "The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Account Discovery With Net App", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "date": "2024-05-22", "version": 5, "id": "339805ce-ac30-11eb-b87d-acde48001122", "description": "The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"analytic_story": ["IcedID", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or power user may used this series of command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Directory Lateral Movement Identified", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "description": "The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to lateral movement has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Directory Privilege Escalation Identified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "description": "The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Setup Registry Autostart", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "f64579c0-203f-11ec-abcc-acde48001122", "description": "The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"StubPath\" value within the \"SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.014", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Add DefaultUser And Password In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "description": "The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Add or Set Windows Defender Exclusion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "773b66fe-4dd9-11ec-8289-acde48001122", "description": "The following analytic detects the use of commands to add or set exclusions in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"Add-MpPreference\" or \"Set-MpPreference\" with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected. If confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "AdsiSearcher Account Discovery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "de7fcadc-04f3-11ec-a241-acde48001122", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"AdsiSearcher\" used for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Allow File And Printing Sharing In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 4, "id": "ce27646e-d411-11eb-8a00-acde48001122", "description": "The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "0a46537c-be02-11eb-92ca-acde48001122", "description": "The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5d85486-b89c-11eb-8267-acde48001122", "description": "The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like \"firewall,\" \"Inbound,\" \"Allow,\" and \"-LocalPort.\" This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall modification detected on endpoint $dest$ by user $user$.", "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*firewall*\" ScriptBlockText = \"*Inbound*\" ScriptBlockText = \"*Allow*\" ScriptBlockText = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Allow Network Discovery In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "description": "The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious modification to the firewall to allow network discovery detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Operation with Consent Admin", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "description": "The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Anomalous usage of 7zip", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "description": "The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Any Powershell DownloadFile", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Any Powershell DownloadString", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 4, "id": "4d015ef2-7adf-11eb-95da-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadString` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because `DownloadString` is commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Attacker Tools On Endpoint", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "description": "The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.", "references": [], "tags": {"analytic_story": ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036.005", "T1036", "T1003", "T1595"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempt To Add Certificate To Untrusted Store", "author": "Patrick Bareiss, Rico Valdez, Splunk", "date": "2024-05-12", "version": 8, "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "description": "The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.004", "T1553"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Attempt To Stop Security Service", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 5, "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "description": "The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the \"sc.exe\" command with the \"stop\" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 8, "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "description": "The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Auto Admin Logon Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"AutoAdminLogon\" value within the \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Batch File Write to System32", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "date": "2024-05-19", "version": 5, "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "description": "The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BCDEdit Failure Recovery Modification", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "809b31d2-5462-11eb-ae93-0242ac130002", "description": "The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as \"recoveryenabled\" and \"no\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"analytic_story": ["Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BITS Job Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1197"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BITSAdmin Download File", "author": "Michael Haag, Sittikorn S", "date": "2024-05-20", "version": 4, "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1197", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "415b4306-8bfb-11eb-85c4-acde48001122", "description": "The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-split` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate services, and its use to download files from remote locations is uncommon and potentially malicious. If confirmed, this behavior could indicate an attempt to download and execute malicious payloads, leading to potential system compromise and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "description": "The following analytic detects the use of `certutil.exe` to download files using the `-VerifyCtl` and `-split` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Certutil exe certificate extraction", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "337a46be-600f-11eb-ae93-0242ac130002", "description": "The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil With Decode Argument", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "description": "The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1140"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Change Default File Association", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "462d17d8-1f71-11ec-ad07-acde48001122", "description": "The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under \"*\\\\shell\\\\open\\\\command\\\\*\" and \"*HKCR\\\\*\". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1546.001", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Change To Safe Mode With Network Config", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CHCP Command Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "21d236ec-eec1-11eb-b23e-acde48001122", "description": "The following analytic detects the execution of the chcp.exe application, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where chcp.exe is executed by cmd.exe with specific command-line arguments. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"analytic_story": ["Azorult", "Forest Blizzard", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Check Elevated CMD using whoami", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "a9079b18-1633-11ec-859c-acde48001122", "description": "The following analytic identifies the execution of the 'whoami' command with specific parameters to check for elevated privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.", "references": [], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Child Processes of Spoolsv exe", "author": "Rico Valdez, Splunk", "date": "2024-05-15", "version": 4, "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "description": "The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clear Unallocated Sector Using Cipher App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "description": "The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may execute this app to manage disk", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clop Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 3, "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "description": "The following analytic identifies the execution of CLOP ransomware variants using specific arguments (\"runrun\" or \"temp.dat\") to trigger their malicious activities. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it indicates potential ransomware behavior, which can lead to file encryption on network shares or local machines. If confirmed malicious, this activity could result in significant data loss and operational disruption due to encrypted files, highlighting the need for immediate investigation and response.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Operators can execute third party tools using these parameters.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clop Ransomware Known Service Name", "author": "Teoderick Contreras", "date": "2024-05-21", "version": 3, "id": "07e08a12-870c-11eb-b5f9-acde48001122", "description": "The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names (\"SecurityCenterIBM\", \"WinCheckDRVs\"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of a known Clop Ransomware Service Name detected on $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "CMD Carry Out String Command Parameter", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 5, "id": "54a6ed00-3256-11ec-b031-acde48001122", "description": "The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CMD Echo Pipe - Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "description": "The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.003", "T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "description": "The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-05", "version": 2, "id": "f87b5062-b405-11eb-a889-acde48001122", "description": "The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"analytic_story": ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Cobalt Strike Named Pipes", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "5876d429-0240-4709-8b93-ea8330b411b5", "description": "The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable C2 Profiles. This activity is significant because Cobalt Strike is a popular tool for adversaries to conduct post-exploitation tasks, and identifying its named pipes can reveal potential malicious activity. If confirmed malicious, this could indicate an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Common Ransomware Extensions", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "date": "2024-05-26", "version": 6, "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "description": "The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Common Ransomware Notes", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 5, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "description": "The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.", "references": [], "tags": {"analytic_story": ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") Filesystem.file_name IN (\"*.aspx\",\"*.ashx\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`", "how_to_implement": "This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4663 ProcessName=*\\\\ScreenConnect.Service.exe file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") file_name IN (\"*.aspx\",\"*.ashx\") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`", "how_to_implement": "To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing.", "known_false_positives": "False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_path_traversal_windows_sacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Conti Common Exec parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "624919bc-c382-11eb-adcc-acde48001122", "description": "The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Control Loading from World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "description": "The following analytic identifies instances of control.exe loading a .cpl or .inf file from a writable directory, which is related to CVE-2021-40444. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate an attempt to exploit a known vulnerability, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the affected system, leading to further compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create local admin accounts using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 10, "id": "b89919ed-fe5f-492c-b139-151bb162040e", "description": "The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the \"/add\" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create or delete windows shares using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 7, "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "description": "The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create Remote Thread In Shell Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "10399c1e-f51e-11eb-b920-acde48001122", "description": "The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Create Remote Thread into LSASS", "author": "Patrick Bareiss, Splunk", "date": "2024-05-26", "version": 2, "id": "67d4dbef-9564-4699-8da8-03a151529edc", "description": "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon Event ID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Creation of lsass Dump with Taskmgr", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "description": "The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Creation of Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "description": "The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 4, "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "description": "The following analytic detects the creation of shadow copies using \"wmic\" or \"Powershell\" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes \"shadowcopy\" and \"create\". This activity is significant because it may indicate an attacker attempting to manipulate or access data unauthorizedly, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 3, "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "description": "The following analytic detects the use of the copy command to dump credentials from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify processes with command lines referencing critical files like \"sam\", \"security\", \"system\", and \"ntds.dit\" in system directories. This activity is significant as it indicates an attempt to extract credentials, a common technique for unauthorized access and privilege escalation. If confirmed malicious, this could lead to attackers gaining sensitive login information, escalating privileges, moving laterally within the network, or accessing sensitive data.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 3, "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "description": "The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing \"mklink\" and \"HarddiskVolumeShadowCopy\". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CSC Net On The Fly Compilation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ea73128a-43ab-11ec-9753-acde48001122", "description": "The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027.004", "T1027"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Curl Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "900bc324-59f3-11ec-9fb4-acde48001122", "description": "The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant as it is commonly associated with malicious actions such as coinminers and exploitation of vulnerabilities like CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could lead to unauthorized code execution, system compromise, and further exploitation within the environment.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Delete ShadowCopy With PowerShell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "description": "The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like \"ShadowCopy,\" \"Delete,\" or \"Remove\" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"analytic_story": ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Deleting Of Net Users", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "description": "The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Deleting Shadow Copies", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 5, "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "description": "The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect AzureHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "26f02e96-c300-11eb-b611-acde48001122", "description": "The following analytic detects the execution of the `Invoke-AzureHound` command-line argument, commonly used by the AzureHound tool. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because AzureHound is often used for reconnaissance in Azure environments, potentially exposing sensitive information. If confirmed malicious, this activity could allow an attacker to map out Azure Active Directory structures, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect AzureHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "1c34549e-c31b-11eb-996b-acde48001122", "description": "The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2024-05-15", "version": 2, "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "description": "The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the \"sudoedit -s \\\\\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the \"-s\" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "description": "The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both \"sudoedit\" and \"segfault\" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "author": "Shannon Davis, Splunk", "date": "2024-05-13", "version": 2, "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "description": "The following analytic detects the execution of the \"sudoedit -s *\" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Certify Command Line Arguments", "author": "Steven Dick", "date": "2024-05-25", "version": 2, "id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "description": "The following analytic detects the use of Certify or Certipy tools to enumerate Active Directory Certificate Services (AD CS) environments. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with these tools. This activity is significant because it indicates potential reconnaissance or exploitation attempts targeting AD CS, which could lead to unauthorized access or privilege escalation. If confirmed malicious, attackers could gain insights into the AD CS infrastructure, potentially compromising sensitive certificates and escalating their privileges within the network.", "references": ["https://github.com/GhostPack/Certify", "https://github.com/ly4k/Certipy", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Certify/Certipy arguments detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certify_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "f533ca6c-9440-4686-80cb-7f294c07812a", "description": "The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.", "references": ["https://github.com/GhostPack/Certify", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Malicious PowerShell", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Certify arguments through PowerShell detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell..", "known_false_positives": "Unknown, partial script block matches.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certify_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Certipy File Modifications", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "description": "The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.", "references": ["https://github.com/ly4k/Certipy"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious files $file_name$ related to Certipy detected on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649", "T1560"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action=\"allowed\" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*_certipy.zip\", \"*_certipy.txt\", \"*_certipy.json\", \"*.ccache\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certipy_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Computer Changed with Anonymous Account", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-18", "version": 2, "id": "1400624a-d42d-484d-8843-e6753e6e3645", "description": "The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to \"ANONYMOUS LOGON\" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "9251299c-ea5b-11eb-a8de-acde48001122", "description": "The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND ScriptBlockText IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Credential Dumping through LSASS access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 4, "id": "2c365e57-4414-4540-8dc0-73ab10729996", "description": "The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.", "references": [], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "message": "The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "description": "The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Excessive Account Lockouts From Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 9, "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "description": "The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\n**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\nPlaybook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`)", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Excessive User Account Lockouts", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "description": "The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive user account lockouts for $user$ in a short period of time", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Exchange Web Shell", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "date": "2024-05-21", "version": 6, "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "description": "The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Renamed", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 5, "id": "62fed254-513b-460e-953d-79771493a9f3", "description": "The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Spawn Child Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "description": "The following analytic detects the execution of hh.exe (HTML Help) spawning a child process, indicating the use of a Compiled HTML Help (CHM) file to execute Windows script code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where hh.exe is the parent process. This activity is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "description": "The following analytic detects the execution of hh.exe (HTML Help) loading a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing URLs. This activity is significant as it can indicate an attempt to execute malicious scripts via CHM files, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to run scripts using engines like JScript or VBScript, leading to further system compromise or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "description": "The following analytic detects the execution of hh.exe (HTML Help) using InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it can be used to execute malicious scripts embedded within CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "8148c29c-c952-11eb-9255-acde48001122", "description": "The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect mshta inline hta execution", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2024-05-21", "version": 7, "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"mshta.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect mshta renamed", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect MSHTA Url in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect New Local Admin account", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 4, "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "description": "The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.", "references": [], "tags": {"analytic_story": ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Outlook exe writing a zip file", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 5, "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "description": "The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.", "references": [], "tags": {"analytic_story": ["Amadey", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Path Interception By Creation Of program exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 6, "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "description": "The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint.", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.009", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect processes used for System Network Configuration Discovery", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 3, "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "description": "The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.", "references": [], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}], "lookups": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 7, "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "description": "The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "prohibited_apps_launching_cmd_macro", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect PsExec With accepteula Flag", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 5, "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "description": "The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network.", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rare Executables", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 5, "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "description": "The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.", "references": [], "tags": {"analytic_story": ["Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A rare process - [$process_name$] has been detected on less than 10 hosts in your environment.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RClone Command-Line Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "description": "The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1020"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regasm Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "description": "The following analytic detects regasm.exe spawning a child process. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where regasm.exe is the parent process. This activity is significant because regasm.exe spawning a process is rare and can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN (\"conhost.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regasm with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "description": "The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Regasm with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "description": "The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvcs Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "description": "The following analytic identifies regsvcs.exe spawning a child process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is regsvcs.exe. This activity is significant because regsvcs.exe rarely spawns child processes, and such behavior can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated suspicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvcs with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "description": "The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon Event ID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "description": "The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvr32 Application Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "070e9b80-6252-11eb-ae93-0242ac130002", "description": "The following analytic identifies the abuse of Regsvr32.exe to proxy execution of malicious code, specifically detecting the loading of \"scrobj.dll\" by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line executions. This activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, often used in \"Squiblydoo\" attacks to bypass application control mechanisms. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Remote Access Software Usage File", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "description": "The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file for known a remote access software [$file_name$] was created on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage FileInfo", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "description": "The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A file attributes for known a remote access software [$process_name$] was detected on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`", "how_to_implement": "This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_fileinfo_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Process", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process for a known remote access software $process_name$ was identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Renamed 7-Zip", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "4057291a-b8cf-11eb-95fe-acde48001122", "description": "The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed PSExec", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "683e6196-b8e8-11eb-9a79-acde48001122", "description": "The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed RClone", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "6dca1124-b3ec-11eb-9328-acde48001122", "description": "The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1020"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed WinRAR", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "description": "The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["CISA AA22-277A", "Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RTLO In File Name", "author": "Steven Dick", "date": "2024-05-24", "version": 3, "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "description": "The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.002", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RTLO In Process", "author": "Steven Dick", "date": "2024-05-29", "version": 3, "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "description": "The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.002", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "description": "The following analytic detects the execution of rundll32.exe loading advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "description": "The following analytic detects the execution of rundll32.exe loading setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events and command-line arguments. This activity is significant as it indicates a potential application control bypass, allowing an attacker to execute arbitrary script code. If confirmed malicious, this technique could enable code execution, privilege escalation, or persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "description": "The following analytic detects the execution of rundll32.exe loading syssetup.dll via the LaunchINFSection function. This method is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate the script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Inline HTA Execution", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"rundll32.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "description": "The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible SharpHound command-Line arguments identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 4, "id": "42b4b438-beed-11eb-ba1d-acde48001122", "description": "The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential SharpHound file modifications identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 4, "id": "dd04b29a-beed-11eb-87bc-acde48001122", "description": "The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential SharpHound binary identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-27", "version": 2, "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "description": "The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 6, "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "description": "The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1059/", "https://redcanary.com/threat-detection-report/techniques/windows-command-shell/"], "tags": {"analytic_story": ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "cmd.exe launching script interpreters $process_name$ on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Webshell Exploit Behavior", "author": "Steven Dick", "date": "2024-05-20", "version": 3, "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "description": "The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a webshell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect WMI Event Subscription Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "description": "The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible malicious WMI Subscription created on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.003", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detection of tools built by NirSoft", "author": "Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "description": "The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as \"/stext\" and \"/scomma\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1072"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable AMSI Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "9c27ec42-d338-11eb-9044-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the \"AmsiEnable\" value to \"0x00000000\". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable AMSI Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender AntiVirus Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "aa4f695a-3024-11ec-9987-acde48001122", "description": "The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 5, "id": "2dd719ac-3021-11ec-97b4-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Enhanced Notification", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "dc65678c-301f-11ec-8e30-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may choose to disable windows defender AV", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender MpEngine Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 5, "id": "cc391750-3024-11ec-955a-acde48001122", "description": "The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Spynet Reporting", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 5, "id": "898debf4-3021-11ec-ba7c-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Submit Samples Consent Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 5, "id": "73922ff8-3022-11ec-bf5e-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable ETW Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "description": "The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" with a value set to \"0x00000000\". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable ETW Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Logs Using WevtUtil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "description": "The following analytic detects the execution of \"wevtutil.exe\" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "WevtUtil.exe used to disable Event Logging on $dest", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Registry Tool", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 6, "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "description": "The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Registry Tools on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "db596056-3019-11ec-a9ff-acde48001122", "description": "The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable problematic schedule task", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Security Logs Using MiniNt Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Show Hidden Files", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 6, "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Show Hidden Files' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable UAC Remote Restriction", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "9928b732-210e-11ec-b65e-acde48001122", "description": "The following analytic detects the modification of the registry to disable UAC remote restriction by setting the \"LocalAccountTokenFilterPolicy\" value to \"0x00000001\". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\CurrentVersion\\\\Policies\\\\System*\". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"analytic_story": ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows App Hotkeys", "author": "Steven Dick, Teoderick Contreras, Splunkk", "date": "2024-05-11", "version": 5, "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Windows App Hotkeys' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows Behavior Monitoring", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "79439cae-9200-11eb-a4d3-acde48001122", "description": "The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender real time behavior monitoring disabled on $dest", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows SmartScreen Protection", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 6, "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\", \"*\\\\Microsoft\\\\Windows\\\\System\\\\EnableSmartScreen\") Registry.registry_value_data IN (\"Off\", \"0\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "114c6bfe-9406-11ec-bcce-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Disabling CMD Application", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 6, "id": "ff86077c-9212-11eb-a1e6-acde48001122", "description": "The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling ControlPanel", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "6ae0148e-9215-11eb-a94a-acde48001122", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Defender Services", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 5, "id": "911eacdc-317f-11ec-ad30-acde48001122", "description": "The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "RedLine Stealer", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Firewall with Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 4, "id": "6860a62c-9203-11eb-9e05-acde48001122", "description": "The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like \"firewall,\" \"off,\" or \"disable.\" This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling FolderOptions Windows Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 6, "id": "83776de4-921a-11eb-868a-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Net User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "c0325326-acd6-11eb-98c2-acde48001122", "description": "The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling NoRun Windows App", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 6, "id": "de81bc46-9213-11eb-adc9-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Remote User Account Control", "author": "David Dorsey, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 5, "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "description": "The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.", "references": [], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling SystemRestore In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "description": "The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Task Manager", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 6, "id": "dac279bc-9202-11eb-b7fb-acde48001122", "description": "The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "author": "Dean Luxton", "date": "2024-05-19", "version": 3, "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "description": "The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DLLHost with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 5, "id": "f1c07594-a141-11eb-8407-acde48001122", "description": "The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Exfiltration Using Nslookup App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "2452e632-9e0d-11eb-bacd-acde48001122", "description": "The following analytic identifies potential DNS exfiltration using the nslookup application. It detects specific command-line parameters such as query type (TXT, A, AAAA) and retry options, which are commonly used by attackers to exfiltrate data. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. This activity is significant as it may indicate an attempt to communicate with a Command and Control (C2) server or exfiltrate sensitive data. If confirmed malicious, this could lead to data breaches and unauthorized access to critical information.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin nslookup usage", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery with Dsquery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery With Net App", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "98f6a534-04c2-11ec-96b2-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery with Wmic", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "383572e0-04c5-11ec-bdcc-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Controller Discovery with Nltest", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "description": "The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Controller Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` (ScriptBlockText = \"*[adsisearcher]*\" AND ScriptBlockText = \"*(objectcategory=group)*\" AND ScriptBlockText = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Domain Group Discovery With Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "description": "The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Download Files Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "58194e28-ae5e-11eb-8912-acde48001122", "description": "The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Phemedrone Stealer", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious files were downloaded with the Telegram application on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Drop IcedID License dat", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "description": "The following analytic detects the dropping of a suspicious file named \"license.dat\" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process $process_name$ created a file $TargetFilename$ on host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "DSQuery Domain Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "cc316032-924a-11eb-91a2-acde48001122", "description": "The following analytic detects the execution of \"dsquery.exe\" with arguments targeting `TrustedDomain` queries directly from the command line. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments. This activity is significant as it often indicates domain trust discovery, a common step in lateral movement or privilege escalation by adversaries. If confirmed malicious, this could allow attackers to map domain trusts, potentially leading to further exploitation and unauthorized access to trusted domains.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via comsvcs DLL", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "description": "The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via procdump", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk. If confirmed malicious, an attacker could obtain credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and further compromise of the environment.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Elevated Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query elevated domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Elevated Group Discovery with PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-06-10", "version": 3, "id": "10d62950-0de5-4199-a710-cff9ea79b413", "description": "The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroupMember*\") AND ScriptBlockText IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Elevated Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments querying specific elevated domain groups. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes that access the LDAP namespace and search for groups like \"Domain Admins\" or \"Enterprise Admins.\" This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privilege accounts within Active Directory. If confirmed malicious, this behavior could lead to privilege escalation, allowing attackers to gain elevated access and control over critical network resources.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enable RDP In Other Port Number", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "99495452-b899-11eb-96dc-acde48001122", "description": "The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" and the \"PortNumber\" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enable WDigest UseLogonCredential Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 5, "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wdigest registry $registry_path$ was modified in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enumerate Users Local Group Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "description": "The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Telegram application has been identified enumerating local groups on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4798 CallerProcessName = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Esentutl SAM Copy", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d372f928-ce4f-11eb-a762-acde48001122", "description": "The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ETW Registry Disabled", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "8ed523ac-276b-11ec-ac39-acde48001122", "description": "The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.006", "T1127", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Eventvwr UAC Bypass", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "description": "The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some false positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excel Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "42d40a22-9be3-11eb-8f08-acde48001122", "description": "The following analytic detects Microsoft Excel spawning PowerShell, an uncommon and suspicious behavior. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is \"excel.exe\" and the child process is PowerShell. This activity is significant because it is often associated with spearphishing attacks, where malicious attachments execute encoded PowerShell commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, privilege escalation, or persistent access within the environment.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excel Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "description": "The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is `excel.exe`. This activity is significant because it is uncommon and often associated with malicious actions, such as spearphishing attacks. If confirmed malicious, this could allow an attacker to execute scripts, potentially leading to code execution, data exfiltration, or further system compromise. Immediate investigation and mitigation are recommended.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Attempt To Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 2, "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "description": "The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where \"sc.exe\" is used with parameters like \"config\" or \"Disabled\" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive distinct processes from Windows Temp", "author": "Michael Hart, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "23587b6a-c479-11eb-b671-acde48001122", "description": "The following analytic identifies an excessive number of distinct processes executing from the Windows\\Temp directory. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and counts within a 20-minute window. This behavior is significant as it often indicates the presence of post-exploit frameworks like Koadic and Meterpreter, which use this technique to execute malicious actions. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive File Deletion In WinDefender Folder", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-12", "version": 3, "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "description": "The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*\" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive number of service control start as disabled", "author": "Michael Hart, Splunk", "date": "2024-05-19", "version": 2, "id": "77592bec-d5cc-11eb-9e60-acde48001122", "description": "The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive number of taskhost processes", "author": "Michael Hart", "date": "2024-05-20", "version": 4, "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "description": "The following analytic identifies an excessive number of taskhost.exe and taskhostex.exe processes running within a short time frame. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and their counts. This behavior is significant as it is commonly associated with post-exploitation tools like Meterpreter and Koadic, which use multiple instances of these processes for actions such as discovery and lateral movement. If confirmed malicious, this activity could indicate an ongoing attack, allowing attackers to execute code, escalate privileges, or move laterally within the network.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Service Stop Attempt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "description": "The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage Of Cacls App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "0bdf6092-af17-11eb-939a-acde48001122", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage Of Net App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "45e52536-ae42-11eb-b5c6-acde48001122", "description": "The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage of NSLOOKUP App", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-15", "version": 3, "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "description": "The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive Usage Of SC Service Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "description": "The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Azorult", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive Usage Of SC Service Utility", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive Usage Of Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "fe5bca48-accb-11eb-a67c-acde48001122", "description": "The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Exchange PowerShell Abuse via SSRF", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "29228ab4-0762-11ec-94aa-acde48001122", "description": "The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Exchange PowerShell Module Usage", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 6, "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "description": "The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Executable File Written in Administrative SMB Share", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 4, "id": "f63c34fe-a435-11eb-935a-acde48001122", "description": "The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.exe\",\"*.dll\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Executables Or Script Creation In Suspicious Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "description": "The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public\\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Execute Javascript With Jscript COM CLSID", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "dc64d064-d346-11eb-8588-acde48001122", "description": "The following analytic detects the execution of JavaScript using the JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as it is a known technique used by ransomware, such as Reddot, to execute malicious scripts and potentially disable AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Execution of File with Multiple Extensions", "author": "Rico Valdez, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "description": "The following analytic detects the execution of files with multiple extensions, such as \".doc.exe\" or \".pdf.exe\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process", "Attacker"]}], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1036.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Extraction of Registry Hives", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "description": "The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "File with Samsam Extension", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 2, "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "description": "The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Firewall Allowed Program Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "description": "The following analytic detects the modification of a firewall rule to allow the execution of a specific application. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events with command-line arguments related to firewall rule changes. This activity is significant as it may indicate an attempt to bypass firewall restrictions, potentially allowing unauthorized applications to communicate over the network. If confirmed malicious, this could enable an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the target environment.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "First Time Seen Child Process of Zoom", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "description": "The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "case_sensitive_match": null, "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}]}, {"name": "First Time Seen Running Windows Service", "author": "David Dorsey, Splunk", "date": "2024-05-21", "version": 5, "id": "823136f2-d755-4b6d-ae04-372b486a5808", "description": "The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "case_sensitive_match": null, "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}]}, {"name": "FodHelper UAC Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "description": "The following analytic detects the execution of fodhelper.exe, which is known to exploit a User Account Control (UAC) bypass by leveraging specific registry keys. The detection method uses Endpoint Detection and Response (EDR) telemetry to identify when fodhelper.exe spawns a child process and accesses the registry keys. This activity is significant because it indicates a potential privilege escalation attempt by an attacker. If confirmed malicious, the attacker could execute commands with elevated privileges, leading to unauthorized system changes and potential full system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"analytic_story": ["IcedID", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious registy keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112", "T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Fsutil Zeroing File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "description": "The following analytic detects the execution of the 'fsutil' command with the 'setzerodata' parameter, which zeros out a target file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is a technique used by ransomware, such as LockBit, to evade detection by erasing its malware path after encrypting the host. If confirmed malicious, this action could hinder forensic investigations and allow attackers to cover their tracks, complicating incident response efforts.", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible file data deletion on $dest$ using $process$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "description": "The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"Get-ADDefaultDomainPasswordPolicy\" to query domain password policy on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get ADUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "21432e40-04f4-11ec-b7e6-acde48001122", "description": "The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"get-aduser\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password policy in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential enumeration of domain policies, a common tactic for situational awareness and Active Directory discovery by adversaries. If confirmed malicious, this could allow attackers to understand password policies, aiding in further attacks such as password spraying or brute force attempts.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "737e1eb0-065a-11ec-921a-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline to query domain user password policy detected on host - $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get DomainPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "b8f9947e-065a-11ec-aafb-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this could lead to unauthorized access to sensitive domain configurations, aiding in privilege escalation and lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get DomainPolicy with Powershell Script Block", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "4fa7f846-054a-11ec-a836-acde48001122", "description": "The following analytic identifies the execution of the Get-DomainTrust command from PowerView using PowerShell, which is used to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential reconnaissance efforts by an adversary to understand domain trust relationships, which can inform lateral movement strategies. If confirmed malicious, this could allow attackers to map out the network, identify potential targets, and plan further attacks, potentially compromising additional systems within the domain.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "89275e7e-0548-11ec-bf75-acde48001122", "description": "The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get DomainUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-DomainUser` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams using PowerView for Active Directory discovery. If confirmed malicious, this could allow attackers to gain situational awareness and identify valuable targets within the domain, potentially leading to further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get DomainUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "61994268-04f4-11ec-865c-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"*Get-DomainUser*\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command via PowerShell, commonly used by adversaries to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying this activity is crucial as it indicates potential reconnaissance efforts to map out domain trusts, which can inform further attacks. If confirmed malicious, this activity could allow attackers to understand domain relationships, aiding in lateral movement and privilege escalation within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get WMIObject Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "5434f670-155d-11ec-8cca-acde48001122", "description": "The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "69df7f7c-155d-11ec-a055-acde48001122", "description": "The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery enumeration on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetAdComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetAdComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 4, "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "description": "The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetAdGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetAdGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "description": "The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetCurrent User with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetCurrent User with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "80879283-c30f-44f7-8471-d1381f6d437a", "description": "The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize `Get-DomainComputer` to discover remote systems. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to map out the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "f64da023-b988-4775-8d57-38e512beb56e", "description": "The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainController with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery using PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainController with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "676b600a-a94d-4951-b346-11329431e6c1", "description": "The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that query for domain groups using `Get-DomainGroup`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to gain insights into domain group structures, aiding in further exploitation and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery with PowerView on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "description": "The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetLocalUser with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "85fae8fa-0427-11ec-8b78-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetLocalUser with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "description": "The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "description": "The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "091712ff-b02a-4d43-82ed-34765515d95d", "description": "The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote systems, specifically targeting the `DS_Computer` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain computers and gather situational awareness within Active Directory. If confirmed malicious, this behavior could allow attackers to map the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "df275a44-4527-443b-b884-7600e066e3eb", "description": "The following analytic identifies the execution of `powershell.exe` with command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet and the `-class ds_group` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this could allow attackers to gain insights into the domain structure, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "22d3b118-04df-11ec-8fa3-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to query domain users via the `Get-WmiObject` cmdlet and `-class ds_user` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 4, "id": "fabd364e-04f3-11ec-b34b-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline for user enumeration detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "640b0eda-0429-11ec-accd-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "2c853856-a140-11eb-a5b5-acde48001122", "description": "The following analytic detects the execution of gpupdate.exe without command line arguments and with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them, especially with network activity, is often associated with malicious software like Cobalt Strike. If confirmed malicious, this activity could indicate an attacker leveraging gpupdate.exe for lateral movement, command and control, or other nefarious purposes, potentially leading to system compromise.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "C2", "type": "IP Address", "role": ["Attacker"]}], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Headless Browser Mockbin or Mocky Request", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "description": "The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the \"--headless\" and \"--disable-gpu\" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications.", "references": ["https://mockbin.org/", "https://www.mocky.io/"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1564.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\" AND (Processes.process=\"*mockbin.org/*\" OR Processes.process=\"*mocky.io/*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "headless_browser_mockbin_or_mocky_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Headless Browser Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "description": "The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the \"--headless\" and \"--disable-gpu\" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.", "references": ["https://cert.gov.ua/article/5702579"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Behavior related to headless browser usage detected on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "headless_browser_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hide User Account From Sign-In Screen", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 5, "id": "834ba832-ad89-11eb-937d-acde48001122", "description": "The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" with a value of \"0x00000000\". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hiding Files And Directories With Attrib exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 6, "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "description": "The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the \"+h\" flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.", "references": [], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222", "T1222.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`hiding_files_and_directories_with_attrib_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "High Frequency Copy Of Files In Network Share", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "40925f12-4709-11ec-bb43-acde48001122", "description": "The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "High frequency copy of document into a network share from $src_ip$ by $src_user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "This behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "High Process Termination Frequency", "author": "Teoderick Contreras", "date": "2024-05-12", "version": 3, "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "description": "The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Hunting 3CXDesktopApp Software", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "description": "The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance $process_name$ was identified on endpoint $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Icacls Deny Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "description": "The following analytic detects instances where an adversary modifies security permissions of a file or directory using commands like \"icacls.exe\", \"cacls.exe\", or \"xcacls.exe\" with deny options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and impede access to critical files. If confirmed malicious, this could allow attackers to maintain persistence and hinder incident response efforts.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Sandworm Tools", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/deny*\", \"*/D*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ICACLS Grant Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "description": "The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/grant*\", \"*/G*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "IcedID Exfiltrated Archived File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "0db4da70-f14b-11eb-8043-acde48001122", "description": "The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $TargetFilename$ on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 4, "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "description": "The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, and `atexec.py`, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "description": "The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "description": "The following analytic detects the use of Impacket's `wmiexec.py` tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 5, "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "description": "The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An interactive session was opened on a remote endpoint from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Java Class File download by Java User Agent", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "8281ce42-5c50-11ec-82d2-acde48001122", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from a remote site. It leverages web or proxy logs within the Web Datamodel to detect this activity. This behavior is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, potentially leading to remote code execution and further compromise of the affected system.", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Java Writing JSP File", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "eb65619c-4f8d-4383-a975-d352765d344b", "description": "The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Jscript Execution Using Cscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "002f1e24-146e-11ec-a470-acde48001122", "description": "The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant because JScript files are typically executed by wscript.exe, making cscript.exe execution unusual and potentially indicative of malicious activity, such as the FIN7 group's tactics. If confirmed malicious, this activity could allow attackers to execute arbitrary scripts, leading to code execution, data exfiltration, or further system compromise.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Kerberoasting spn request with RC4 encryption", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 6, "id": "5cc67381-44fa-4111-8a37-7a230943f027", "description": "The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4769 ServiceName!=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0cb847ee-9423-11ec-b2df-acde48001122", "description": "The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User Name", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled for $user$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "59b51620-94c9-11ec-b3d5-acde48001122", "description": "The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "7d90f334-a482-11ec-908c-acde48001122", "description": "The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "18916468-9c04-11ec-bdc6-acde48001122", "description": "The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos User Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "description": "The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential Kerberos based user enumeration attack $src_ip$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1589", "T1589.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!=\"*$\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Known Services Killed by Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "description": "The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "param1", "type": "Other", "role": ["Other"]}], "message": "Known services $param1$ terminated by a potential ransomware on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7036 param1 IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") param2=\"stopped\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "description": "The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within \"/etc/ssh/*\" or \"~/.ssh/*\" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Add Files In Known Crontab Directories", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "023f3452-5f27-11ec-bf00-acde48001122", "description": "The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Add User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "description": "The following analytic detects the creation of new user accounts on Linux systems using commands like \"useradd\" or \"adduser.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create user account on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Adding Crontab Using List Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "description": "The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Gomir", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab list command $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux apt-get Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "description": "The following analytic detects the execution of the 'apt-get' command with elevated privileges using 'sudo' on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a user may be attempting to escalate privileges to root, which could lead to unauthorized system control. If confirmed malicious, an attacker could gain root access, allowing them to execute arbitrary commands, install or remove software, and potentially compromise the entire system.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux APT Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "description": "The following analytic detects the use of the Advanced Package Tool (APT) with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux At Allow Config File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "977b3082-5f3d-11ec-b954-acde48001122", "description": "The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the \"at\" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux At Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with \"at\" or \"atd\". This activity is significant because the \"At\" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "At application was executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.002", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux AWK Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "4510cae0-96a2-4840-9919-91d262db210a", "description": "The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include \"sudo,\" \"awk,\" and \"BEGIN*system\" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Busybox Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-27", "version": 2, "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "description": "The following analytic detects the execution of BusyBox with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant because it indicates a user may be attempting to gain root access, bypassing standard security controls. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and potential persistence within the environment.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux c89 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-30", "version": 2, "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "description": "The following analytic detects the execution of the 'c89' command with elevated privileges, which can be used to compile and execute C programs as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute arbitrary commands as root. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute any command with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux c99 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "description": "The following analytic detects the execution of the c99 utility with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of the c99 utility to gain root access, which is critical for maintaining system security. If confirmed malicious, this could allow an attacker to execute commands as root, potentially compromising the entire system and accessing sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Change File Owner To Root", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1400ea2-6257-11ec-ad49-acde48001122", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may change ownership to root on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222.002", "T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Clipboard Data Copy", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1115"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Common Process For Elevation Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "description": "The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ with process $process_name$ on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Composer Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "description": "The following analytic detects the execution of the Composer tool with elevated privileges on a Linux system. It identifies instances where Composer is run with the 'sudo' command, allowing the user to execute system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to unauthorized root access. If confirmed malicious, an attacker could gain full control over the system, execute arbitrary commands, and compromise sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Cpulimit Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "description": "The following analytic detects the use of the 'cpulimit' command with specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because if 'cpulimit' is granted sudo rights, a user can potentially execute system commands as root, leading to privilege escalation. If confirmed malicious, this could allow an attacker to gain root access, execute arbitrary commands, and fully compromise the affected system.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Csvtool Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 2, "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "description": "The following analytic detects the execution of the 'csvtool' command with 'sudo' privileges, which can allow a user to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain unauthorized root access. If confirmed malicious, this could lead to full system compromise, allowing an attacker to execute arbitrary commands, escalate privileges, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Curl Upload File", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "description": "The following analytic detects the use of the curl command with specific switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Data Destruction Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "description": "The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux DD File Overwrite", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "description": "The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Decode Base64 to Shell", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "description": "The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like \"base64 -d\" and \"base64 --decode\" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1059.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "description": "The following analytic detects the deletion of critical directories on a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Cron Jobs", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "description": "The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the \"/etc/cron.*\" directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Init Daemon Script", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "description": "The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Init daemon script deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "description": "The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AcidRain", "AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion of SSL Certificate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "839ab790-a60a-4f81-bfb3-02567063f615", "description": "The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "SSL certificate deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "description": "The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" with commands containing \"disable.\" This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Doas Conf File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "f6343e86-6e09-11ec-9376-acde48001122", "description": "The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Doas Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "d5a62490-6e09-11ec-884e-acde48001122", "description": "The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Docker Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "description": "The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Edit Cron Table Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "0d370304-5f26-11ec-a4bb-acde48001122", "description": "The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab edit command $process$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Emacs Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "description": "The following analytic detects the execution of Emacs with elevated privileges using the `sudo` command and the `--eval` option. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by running Emacs with elevated permissions. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Created In Kernel Driver Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "b85bbeec-6326-11ec-9311-acde48001122", "description": "The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Creation In Init Boot Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "description": "The following analytic detects the creation of files in Linux init boot directories, which are used for automatic execution upon system startup. It leverages file system logs to identify new files in directories such as /etc/init.d/ and /etc/rc.d/. This activity is significant as it is a common persistence technique used by adversaries, malware authors, and red teamers. If confirmed malicious, this could allow an attacker to maintain persistence on the compromised host, potentially leading to further exploitation and unauthorized control over the system.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1037.004", "T1037"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Creation In Profile Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46ba0082-61af-11ec-9826-acde48001122", "description": "The following analytic detects the creation of files in the /etc/profile.d directory on Linux systems. It leverages filesystem data to identify new files in this directory, which is often used by adversaries for persistence by executing scripts upon system boot. This activity is significant as it may indicate an attempt to maintain long-term access to the compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges each time the system boots, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.004", "T1546"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Find Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "description": "The following analytic detects the use of the 'find' command with 'sudo' and '-exec' options, which can indicate an attempt to escalate privileges on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could enable an attacker to gain full control over the system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux GDB Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "description": "The following analytic detects the execution of the GNU Debugger (GDB) with specific flags that indicate an attempt to escalate privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could result in full system compromise, allowing an attacker to gain complete control over the affected endpoint.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Gem Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "description": "The following analytic detects the execution of the RubyGems utility with elevated privileges, specifically when it is used to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"gem open -e\" and \"sudo\". This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as the root user. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux GNU Awk Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "description": "The following analytic detects the execution of the 'gawk' command with elevated privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' and 'BEGIN{system' patterns. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full root access, enabling the attacker to control the system, modify critical files, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Hardware Addition SwapOff", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "description": "The following analytic detects the execution of the \"swapoff\" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ swap off paging device in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1200"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "description": "The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "9d867448-2aff-4d07-876c-89409a752ff8", "description": "The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Impair Defenses Process Kill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "description": "The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Indicator Removal Clear Cache", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "description": "The following analytic detects processes that clear or free page cache on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line executions involving the kernel system request `drop_caches`. This activity is significant as it may indicate an attempt to delete forensic evidence or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior could allow an attacker to cover their tracks, making it difficult to investigate other malicious activities or system compromises.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Indicator Removal Service File Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "description": "The following analytic detects the deletion of Linux service unit configuration files by suspicious processes. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes executing the 'rm' command targeting '.service' files. This activity is significant as it may indicate malware attempting to disable critical services or security products, a common defense evasion tactic. If confirmed malicious, this behavior could lead to service disruption, security tool incapacitation, or complete system compromise, severely impacting the integrity and availability of the affected Linux host.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ingress Tool Transfer Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "description": "The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ingress Tool Transfer with Curl", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "description": "The following analytic detects the use of the curl command with specific switches (-O, -sO, -ksO, --output) commonly used to download remote scripts or binaries. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to download and execute potentially malicious files, often used in initial stages of an attack. If confirmed malicious, this could lead to unauthorized code execution, enabling attackers to compromise the system further.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "18b5a1a0-6326-11ec-943a-acde48001122", "description": "The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "387b278a-6326-11ec-aa2c-acde48001122", "description": "The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Iptables Firewall Modification", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "description": "The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process name - $process_name$ that may modify iptables firewall on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Java Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "7b09db8a-5c20-11ec-9945-acde48001122", "description": "The following analytic detects instances where Java, Apache, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Kernel Module Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "6df99886-0e04-4c11-8b88-325747419278", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082", "T1014"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Kworker Process In Writable Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "description": "The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ with kworker commandline in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.004", "T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Make Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "80b22836-5091-4944-80ee-f733ac443f4f", "description": "The following analytic detects the use of the 'make' command with elevated privileges to execute system commands as root, potentially leading to a root shell. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include 'make', '--eval', and 'sudo'. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux MySQL Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "c0d810f4-230c-44ea-b703-989da02ff145", "description": "The following analytic detects the execution of MySQL commands with elevated privileges using sudo, which can lead to privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of MySQL to execute system commands as root, which could allow an attacker to gain root shell access. If confirmed malicious, this could result in full control over the affected system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "description": "The following analytic detects the use of Ngrok on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with Ngrok. This activity is significant because Ngrok can be used by adversaries to establish reverse proxies, potentially bypassing network defenses. If confirmed malicious, this could allow attackers to create persistent, unauthorized access channels, facilitating data exfiltration or further exploitation of the compromised system.", "references": ["https://ngrok.com/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Node Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 2, "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "description": "The following analytic identifies the execution of Node.js with elevated privileges using sudo, specifically when spawning child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific Node.js commands. This activity is significant because running Node.js as a superuser without dropping privileges can allow unauthorized access to the file system and potential privilege escalation. If confirmed malicious, this could enable an attacker to maintain privileged access, execute arbitrary code, and compromise sensitive data within the environment.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "description": "The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing \"NOPASSWD:\". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "description": "The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"base64 -d\" or \"base64 --decode\". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Octave Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 2, "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "description": "The following analytic detects the execution of GNU Octave with elevated privileges, specifically when it runs system commands via sudo. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments that include \"octave-cli,\" \"--eval,\" \"system,\" and \"sudo.\" This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands, severely impacting system security and integrity.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux OpenVPN Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "description": "The following analytic detects the execution of OpenVPN with elevated privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, and `sudo` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "description": "The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux PHP Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "description": "The following analytic detects the execution of PHP commands with elevated privileges on a Linux system. It identifies instances where PHP is used in conjunction with 'sudo' and 'system' commands, indicating an attempt to run system commands as the root user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to full root access. If confirmed malicious, this could allow an attacker to execute arbitrary commands with root privileges, compromising the entire system.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux pkexec Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "description": "The following analytic detects the execution of `pkexec` without any command-line arguments. This behavior leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry. The significance lies in the fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this activity could allow an attacker to gain full root privileges on the affected Linux system, leading to complete system compromise and potential unauthorized access to sensitive information.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "7a85eb24-72da-11ec-ac76-acde48001122", "description": "The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004", "T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access To Credential Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "16107e0e-71fc-11ec-b862-acde48001122", "description": "The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.008", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access To Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "4479539c-71fc-11ec-b2e2-acde48001122", "description": "The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Command To At Allow Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "7bc20606-5f40-11ec-a586-acde48001122", "description": "The following analytic detects suspicious command lines that append user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving these files. This activity is significant because altering these configuration files can allow attackers to schedule tasks with elevated permissions, facilitating persistence on a compromised Linux host. If confirmed malicious, this could enable attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify at allow config file in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.002", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Command To Profile Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9c94732a-61af-11ec-91e3-acde48001122", "description": "The following analytic detects suspicious command-lines that modify user profile files to automatically execute scripts or executables upon system reboot. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving profile files like ~/.bashrc and /etc/profile. This activity is significant as it indicates potential persistence mechanisms used by adversaries to maintain access to compromised hosts. If confirmed malicious, this could allow attackers to execute arbitrary code upon reboot, leading to persistent control over the system and potential further exploitation.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may modify profile files in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.004", "T1546"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "description": "The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Cronjob Modification With Editor", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano,\" \"vi,\" or \"vim.\" It identifies this activity by monitoring command-line executions that interact with cronjob configuration paths. This behavior is significant for a SOC as it may indicate attempts at privilege escalation or establishing persistent access. If confirmed malicious, the impact could be severe, allowing attackers to execute damaging actions such as data theft, system sabotage, or further network penetration.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Ssh Key File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "c04ef40c-72da-11ec-8eac-acde48001122", "description": "The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004", "T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Preload Hijack Library Calls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "cbe2ca30-631e-11ec-8670-acde48001122", "description": "The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may hijack library function on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.006", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Proxy Socks Curl", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "description": "The following analytic detects the use of the `curl` command with proxy-related arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an adversary attempting to use a proxy to evade network monitoring and obscure their actions. If confirmed malicious, this behavior could allow attackers to bypass security controls, making it difficult to track their activities and potentially leading to unauthorized data access or exfiltration.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1090", "T1095"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Puppet Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "description": "The following analytic detects the execution of Puppet commands with elevated privileges, specifically when Puppet is used to apply configurations with sudo rights. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access and execute system commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux RPM Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "description": "The following analytic detects the execution of the RPM Package Manager with elevated privileges, specifically when it is used to run system commands as root via the `--eval` and `lua:os.execute` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, this could lead to full system compromise, unauthorized access to sensitive data, and further exploitation of the environment.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ruby Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-25", "version": 2, "id": "097b28b5-7004-4d40-a715-7e390501788b", "description": "The following analytic detects the execution of Ruby commands with elevated privileges on a Linux system. It identifies processes where Ruby is used with the `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response (EDR) telemetry. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access, execute arbitrary commands, and maintain persistent control over the affected system.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service File Created In Systemd Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "c7495048-61b6-11ec-9a37-acde48001122", "description": "The following analytic detects the creation of suspicious service files within the systemd directories on Linux platforms. It leverages logs containing file name, file path, and process GUID data from endpoints. This activity is significant for a SOC as it may indicate an adversary attempting to establish persistence on a compromised host. If confirmed malicious, this could lead to system compromise or data exfiltration, allowing attackers to maintain control over the system and execute further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service Restarted", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "084275ba-61b8-11ec-8d64-acde48001122", "description": "The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create or start a service on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service Started Or Enabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "e0428212-61b7-11ec-88a3-acde48001122", "description": "The following analytic detects the creation or enabling of services on Linux platforms using the systemctl or service tools. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names, parent processes, and command-line executions. This activity is significant as adversaries may create or modify services to maintain persistence or execute malicious payloads. If confirmed malicious, this behavior could lead to persistent access, data theft, ransomware deployment, or other damaging outcomes. Monitoring and investigating such activities are crucial for maintaining the security and integrity of the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may create or start a service on $dest", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") AND NOT (Processes.os=\"Microsoft Windows\" OR Processes.vendor_product=\"Microsoft Windows\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Setuid Using Chmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "description": "The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Setuid Using Setcap Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "9d96022e-6250-11ec-9a19-acde48001122", "description": "The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Shred Overwrite Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1952cf1-643c-4965-82de-11c067cbae76", "description": "The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible shred overwrite command $process$ executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sqlite3 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "description": "The following analytic detects the execution of the sqlite3 command with elevated privileges, which can be exploited for privilege escalation. It leverages Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 is used in conjunction with shell commands and sudo. This activity is significant because it indicates a potential attempt to gain root access, which could lead to full system compromise. If confirmed malicious, an attacker could execute arbitrary commands as root, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux SSH Authorized Keys Modification", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "description": "The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like \"bash\" and \"cat\" interacting with \"authorized_keys\" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux SSH Remote Services Script Execute", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "description": "The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Stdout Redirection To Dev Null File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "description": "The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Stop Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "description": "The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sudo OR Su Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "description": "The following analytic detects the execution of the \"sudo\" or \"su\" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because \"sudo\" and \"su\" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that execute sudo or su in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sudoers Tmp File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "be254a5c-63e7-11ec-89da-acde48001122", "description": "The following analytic detects the creation of the \"sudoers.tmp\" file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of \"sudoers.tmp\" files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system's security.", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux System Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "535cb214-8b47-11ec-a2c7-acde48001122", "description": "The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as \"arp,\" \"ifconfig,\" \"ip,\" \"netstat,\" \"firewall-cmd,\" \"ufw,\" \"iptables,\" \"ss,\" and \"route\" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2", "Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Network discovery process $process_name_list$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux System Reboot Via System Request Key", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "description": "The following analytic detects the execution of the SysReq hack to reboot a Linux system host. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This activity is significant as it is an uncommon method to reboot a system and was observed in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate the presence of suspicious processes and potential system compromise, leading to unauthorized reboots and disruption of services.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "description": "The following analytic detects the execution of a command to enable all SysRq functions on a Linux system, a technique associated with the AwfulShred malware. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant as it can indicate an attempt to manipulate kernel system requests, which is uncommon and potentially malicious. If confirmed, this could allow an attacker to reboot the system or perform other critical actions, leading to system instability or further compromise.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.004", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Visudo Utility Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "08c41040-624c-11ec-a71f-acde48001122", "description": "The following analytic detects the execution of the 'visudo' utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Living Off The Land Detection", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "description": "The following correlation identifies multiple risk events associated with the \"Living Off The Land\" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "living_off_the_land_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Loading Of Dynwrapx Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "eac5e8ba-4857-11ec-9371-acde48001122", "description": "The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "dynwrapx.dll loaded by process $process_name$ on $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055", "T1055.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Local Account Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "5d0d4830-0133-11ec-bae3-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Local Account Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "4902d7aa-0134-11ec-9d65-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "author": "Jose Hernandez, Splunk", "date": "2024-05-26", "version": 4, "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "description": "The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Log4Shell Exploitation detected against $risk_object$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Logon Script Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "description": "The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1037", "T1037.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "LOLBAS With Network Traffic", "author": "Steven Dick", "date": "2024-05-11", "version": 2, "id": "2820f032-19eb-497e-8642-25b04a880359", "description": "The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1105", "T1567", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MacOS - Re-opened Applications", "author": "Jamie Windley, Splunk", "date": "2024-05-14", "version": 2, "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "description": "The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MacOS LOLbin", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 3, "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "description": "The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as \"find\", \"crontab\", \"screencapture\", \"openssl\", \"curl\", \"wget\", \"killall\", and \"funzip\". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiplle LOLbin are executed on host $dest$ by user $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.004", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "MacOS plutil", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 4, "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "description": "The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "plutil are executed on $dest$ from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1647"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Mailsniper Invoke functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 3, "id": "a36972c8-b894-11eb-9f78-acde48001122", "description": "The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1114", "T1114.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Malicious InProcServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "127c8d08-25ff-11ec-9223-acde48001122", "description": "The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.010", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious Powershell Executed As A Service", "author": "Ryan Becwar", "date": "2024-05-20", "version": 3, "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "description": "The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_ImagePath=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Malicious PowerShell Process - Encoded Command", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 8, "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "description": "The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators may use this option, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 6, "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "description": "The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like \"-ex\" or \"bypass.\" This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "PowerShell local execution policy bypass attempt on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 6, "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "description": "The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "13bbd574-83ac-11ec-99d4-acde48001122", "description": "The following analytic detects the use of Mimikatz command line parameters associated with pass-the-ticket attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns related to Kerberos ticket manipulation. This activity is significant because pass-the-ticket attacks allow adversaries to move laterally within an environment using stolen Kerberos tickets, bypassing normal access controls. If confirmed malicious, this could enable attackers to escalate privileges, access sensitive information, and maintain persistence within the network.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `mmc.exe` is the parent process. This activity is significant because adversaries can abuse the DCOM protocol and MMC20 COM object to execute malicious code, using Windows native binaries documented by the LOLBAS project. If confirmed malicious, this behavior could indicate lateral movement, allowing attackers to execute code remotely, potentially leading to further compromise and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Modification Of Wallpaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "accb0712-c381-11eb-8e5b-acde48001122", "description": "The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the \"Control Panel\\\\Desktop\\\\Wallpaper\" and \"Control Panel\\\\Desktop\\\\WallpaperStyle\" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wallpaper modification on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1491"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =13 (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Image != \"*\\\\explorer.exe\") OR (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Details IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Modify ACL permission To Files Or Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "description": "The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cacls.exe,\" \"icacls.exe,\" and \"xcacls.exe\" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious ACL permission modification on $dest$", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may use this command. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Monitor Registry Keys for Print Monitors", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 6, "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "description": "The following analytic detects modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "New print monitor added on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.010", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "985f322c-57a5-11ec-b9ac-acde48001122", "description": "The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MS Scripting Process Loading Ldap Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "description": "The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MS Scripting Process Loading WMI Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "2eba3d36-14a6-11ec-a682-acde48001122", "description": "The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MSBuild Suspicious Spawned By Script Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "213b3148-24ea-11ec-93a2-acde48001122", "description": "The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127.001", "T1127"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "description": "The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MSHTML Module Load in Office Product", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "5f1c168e-118b-11ec-84ff-acde48001122", "description": "The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") loaded_file_path IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MSI Module Loaded by Non-System Binary", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccb98a66-5851-11ec-b91c-acde48001122", "description": "The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/AlexandrVIvanov/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Msmpeng Application DLL Side Loading", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-16", "version": 4, "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "description": "The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Net Localgroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "54f5201e-155b-11ec-a6e2-acde48001122", "description": "The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "NET Profiler UAC bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "description": "The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Arp", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "description": "The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Netstat", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "description": "The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Discovery Using Route Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "dd83407e-439f-11ec-ab8e-acde48001122", "description": "The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016", "T1016.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Share Discovery Via Dir Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "description": "The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "description": "The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `network_traffic_to_active_directory_web_services_protocol_filter`", "how_to_implement": "The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_traffic_to_active_directory_web_services_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Nishang PowershellTCPOneLine", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "description": "The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "NLTest Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "description": "The following analytic identifies the execution of `nltest.exe` with command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to understand domain trust relationships, which can inform their lateral movement strategies. If confirmed malicious, this activity could enable attackers to map out trusted domains, facilitating further compromise and pivoting within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain trust discovery execution on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "81263de4-160a-11ec-944f-acde48001122", "description": "The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non chrome browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555", "T1555.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e6fc13b0-1609-11ec-b533-acde48001122", "description": "The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non firefox browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555", "T1555.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Notepad with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "description": "The following analytic identifies instances where Notepad.exe is launched without any command line arguments, a behavior commonly associated with the SliverC2 framework. This detection leverages process creation events from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by Notepad.exe within a short time frame. This activity is significant as it may indicate an attempt to inject malicious code into Notepad.exe, a known tactic for evading detection. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ntdsutil Export NTDS", "author": "Michael Haag, Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 2, "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Active Directory NTDS export on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Drop Executable", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "date": "2024-05-14", "version": 5, "id": "73ce70c4-146d-11ec-9184-acde48001122", "description": "The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Spawn Regsvr32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a Regsvr32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as IcedID, to initiate infections. If confirmed malicious, this behavior could lead to code execution, allowing attackers to gain control over the affected system and potentially escalate privileges.", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning regsvr32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Spawn rundll32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "958751e4-9c5f-11eb-b103-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a rundll32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as Trickbot, to initiate infections. If confirmed malicious, this behavior could lead to code execution, further system compromise, and potential data exfiltration.", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning rundll32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Document Creating Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 7, "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "description": "The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An Office document was identified creating a scheduled task on $dest$. Investigate further.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") loaded_file_path = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Office Document Executing Macro Code", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 6, "id": "b12c89bc-9d06-11eb-a592-acde48001122", "description": "The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", "https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document executing a macro on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") loaded_file_path IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Office Document Spawned Child Process To Download", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 7, "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "description": "The following analytic identifies Office applications spawning child processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications like Word or Excel initiate network connections, excluding common browsers. This activity is significant as it often indicates the use of malicious documents to execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further malware deployment, posing a severe threat to the organization's security.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document spawning suspicious child process on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Default browser not in the filter list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawn CMD Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 6, "id": "b8b19420-e892-11eb-9244-acde48001122", "description": "The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\" OR Processes.parent_process_name=\"Graph.exe\" OR Processes.parent_process_name=\"winproj.exe\") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning BITSAdmin", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 6, "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` is commonly used for malicious file transfers, potentially indicating a malware infection. If confirmed malicious, this activity could allow attackers to download additional payloads, escalate privileges, or establish persistence, leading to further compromise of the affected system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` is frequently used for downloading malicious payloads from remote URLs. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further system compromise. Immediate investigation and containment are crucial to prevent potential damage.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning MSHTA", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "6078fa20-a6d2-11eb-b662-acde48001122", "description": "The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common technique used by malware families like TA551 and IcedID to execute malicious scripts or payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"analytic_story": ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 6, "id": "c661f6be-a38c-11eb-be57-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, which can lead to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "description": "The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Wmic", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 7, "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it is commonly associated with the Ursnif malware family, indicating potential malicious activity. If confirmed malicious, this could allow an attacker to execute arbitrary commands, leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Writing cab or inf", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "f48cd1d4-125a-11ec-a447-acde48001122", "description": "The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Spawning Control", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "053e027c-10c7-11ec-8437-acde48001122", "description": "The following analytic identifies instances where `control.exe` is spawned by a Microsoft Office product. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it can indicate exploitation attempts related to CVE-2021-40444, where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "author": "Mauricio Velazco, Lou Stella, Splunk", "date": "2024-05-26", "version": 3, "id": "d2c14d28-5c47-11ec-9892-acde48001122", "description": "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Overwriting Accessibility Binaries", "author": "David Dorsey, Splunk", "date": "2024-05-25", "version": 5, "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "description": "The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546", "T1546.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "395163b8-689b-444b-86c7-9fe9ad624734", "description": "The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Password Policy Discovery with Net", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "09336538-065a-11ec-8665-acde48001122", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Permission Modification using Takeown App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "description": "The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PetitPotam Network Share Access Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "95b8061a-0a67-11ec-85ec-acde48001122", "description": "The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1187"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` SubjectUserName=\"ANONYMOUS LOGON\" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 3, "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "description": "The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 src!=\"::1\" TargetUserName=*$ CertThumbprint!=\"\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ping Sleep Batch Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "ce058d6c-79f2-11ec-b476-acde48001122", "description": "The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis. If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious $process$ commandline run in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497", "T1497.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Possible Browser Pass View Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "description": "The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches.", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555.003", "T1555"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positive is quite limited. Filter is needed", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 3, "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "description": "The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN (\"*c:\\windows\\ccm\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Potential password in username", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-11", "version": 2, "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "description": "The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.003", "T1552.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Potentially malicious code on commandline", "author": "Michael Hart, Splunk", "date": "2024-05-12", "version": 2, "id": "9c53c446-757e-11ec-871d-acde48001122", "description": "The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as \"streamreader,\" \"webclient,\" \"mutex,\" \"function,\" and \"computehash,\" which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$]", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell 4104 Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "d6f2b006-0041-11ec-8885-acde48001122", "description": "The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex=if(match(ScriptBlockText, \"(?i)iex|invoke-expression\"),2,0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "author": "David Dorsey, Michael Haag Splunk", "date": "2024-05-12", "version": 9, "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "description": "The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"analytic_story": ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "description": "The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.015", "T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Creating Thread Mutex", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 4, "id": "637557ec-ca08-11eb-bd0a-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains Thread Mutex on host $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1027.005", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Disable Security Monitoring", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 4, "id": "c148a894-dd93-11eb-bf2a-acde48001122", "description": "The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell Domain Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "description": "The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Enable PowerShell Remoting", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "description": "The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Enable SMB1Protocol Feature", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "afed80b2-d34b-11eb-a952-acde48001122", "description": "The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1027.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Execute COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "65711630-f9bf-11eb-8d72-acde48001122", "description": "The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains COM CLSID command on host $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.015", "T1546", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "a26d9db4-c883-11eb-9d75-acde48001122", "description": "The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains GetProcAddress API on host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1055", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "8acbc04c-c882-11eb-b060-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains base64 command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1027", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Get LocalGroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b71adfcc-155b-11ec-9413-acde48001122", "description": "The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "description": "The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on endpoint $dest$ by user $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "651ee958-a433-471c-b264-39725b788b83", "description": "The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Invoke WmiExec Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "description": "The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Load Module in Meterpreter", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5905da5-d050-48db-9259-018d8f034fcf", "description": "The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as \"MSF.Powershell\" and \"MSF.Powershell.Meterpreter\". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "description": "The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Processing Stream Of Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Remote Services Add TrustedHost", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "description": "The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a powershell script adding a remote trustedhost on $dest$ .", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021.006", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*WSMan:\\\\localhost\\\\Client\\\\TrustedHosts*\" ScriptBlockText IN (\"* -Value *\", \"* -Concatenate *\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "user and network administrator may used this function to add trusted host.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_services_add_trustedhost_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Remote Thread To Known Windows Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "description": "The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Powershell Remove Windows Defender Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "adf47620-79fa-11ec-b248-acde48001122", "description": "The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing \"rmdir\" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Script Block With URL Chain", "author": "Steven Dick", "date": "2024-05-30", "version": 2, "id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_script_block_with_url_chain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Start-BitsTransfer", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "39e2605a-90d8-11eb-899e-acde48001122", "description": "The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network.", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1197"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell Start or Stop Service", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "description": "The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Using memory As Backing Store", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains memorystream command on host $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell WebRequest Using Memory Stream", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "103affa6-924a-4b53-aff4-1d5075342aab", "description": "The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1105", "T1027.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_webrequest_using_memory_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Windows Defender Exclusion Commands", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "description": "The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $ScriptBlockText$ executed on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Add-MpPreference *\" OR ScriptBlockText = \"*Set-MpPreference *\") AND ScriptBlockText = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "description": "The following analytic detects the execution of \"bcdedit.exe\" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"analytic_story": ["Chaos Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Print Processor Registry Autostart", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "1f5b68aa-2037-11ec-898e-acde48001122", "description": "The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Print Spooler Adding A Printer Driver", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "313681a2-da8e-11eb-adad-acde48001122", "description": "The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as \"kernelbase.dll\" and \"UNIDRV.DLL.\" This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Print Spooler Failed to Load a Plug-in", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adc9548-da7c-11eb-8f13-acde48001122", "description": "The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as \"meterpreter.dll,\" with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Process Creating LNK file in Suspicious Location", "author": "Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-15", "version": 7, "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "description": "The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\Users\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Deleting Its Process File Path", "author": "Teoderick Contreras", "date": "2024-05-27", "version": 3, "id": "f7eda4bc-871c-11eb-b110-acde48001122", "description": "The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Process Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-22", "version": 6, "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "description": "The following analytic detects the execution of a process by `WmiPrvSE.exe`, indicating potential use of WMI (Windows Management Instrumentation) for process creation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as WMI can be used for lateral movement, remote code execution, or persistence by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary commands or scripts, potentially leading to further compromise of the affected system or network.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN (\"*\\\\dismhost.exe*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Kill Base On File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "description": "The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Writing DynamicWrapperX", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b0a078e4-2601-11ec-9aec-acde48001122", "description": "The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1559.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Processes launching netsh", "author": "Michael Haag, Josef Kuepker, Splunk", "date": "2024-05-24", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "description": "The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Processes Tapping Keyboard Events", "author": "Jose Hernandez, Splunk", "date": "2024-05-13", "version": 2, "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "description": "The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Scheduled Task Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "description": "The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Randomly Generated Windows Service Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "description": "The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ransomware Notes bulk creation", "author": "Teoderick Contreras", "date": "2024-05-25", "version": 2, "id": "eff7919a-8330-11eb-83f8-acde48001122", "description": "The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A high frequency file creation of $file_name$ in different file path in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Recon AVProduct Through Pwh or WMI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "28077620-c9f6-11eb-8785-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like \"SELECT,\" \"WMIC,\" \"AntiVirusProduct,\" or \"AntiSpywareProduct.\" This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains AV recon command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Recon Using WMI Class", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "018c1972-ca07-11eb-9473-acde48001122", "description": "The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains host recon commands detected on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1592", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Recursive Delete of Directory In Batch CMD", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 4, "id": "ba570b3a-d356-11eb-8358-acde48001122", "description": "The following analytic detects the execution of a batch command designed to recursively delete files or directories, a technique often used by ransomware like Reddot to delete files in the recycle bin and prevent recovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific flags for recursive and quiet deletions. This activity is significant as it indicates potential ransomware behavior aimed at data destruction. If confirmed malicious, it could lead to significant data loss and hinder recovery efforts, severely impacting business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 6, "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "description": "The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise.", "references": [], "tags": {"analytic_story": ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.011", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys for Creating SHIM Databases", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 7, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "description": "The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys Used For Persistence", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "date": "2024-05-25", "version": 10, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "description": "The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.", "references": [], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\" OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\" OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys Used For Privilege Escalation", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 8, "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "description": "The following analytic detects modifications to registry keys under \"Image File Execution Options\" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.012", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "f421c250-24e7-11ec-bc43-acde48001122", "description": "The following analytic detects the loading of a DLL using the regsvr32 application with the silent parameter and DLLInstall execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent process details. This activity is significant as it is commonly used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised machines. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, and further compromise the system.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "description": "The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remcos client registry install entry", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "description": "The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-24", "version": 3, "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "description": "The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing \"remcos.\" This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "file $file_name$ created in $file_path$ of $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Process Running On System", "author": "David Dorsey, Splunk", "date": "2024-05-24", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "description": "The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint by abusing the DCOM protocol, specifically targeting ShellExecute and ExecuteShellCommand. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant as it indicates potential lateral movement and remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, escalate privileges, and move laterally within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "description": "The following analytic detects the execution of `winrs.exe` with command-line arguments used to start a process on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 8, "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "description": "The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` using the `Invoke-WmiMethod` cmdlet to start a process on a remote endpoint via WMI. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it indicates potential lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote System Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 3, "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration with adsisearcher on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote System Discovery with Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "description": "The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote System Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote System Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "description": "The following analytic detects the execution of `wmic.exe` with specific command-line arguments used to discover remote systems within a domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out network resources and Active Directory structures. If confirmed malicious, this behavior could allow attackers to gain situational awareness, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote WMI Command Attempt", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-17", "version": 5, "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "description": "The following analytic detects the execution of `wmic.exe` with the `node` switch, indicating an attempt to spawn a local or remote process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, the attacker could gain remote control over the targeted system, execute arbitrary commands, and potentially escalate privileges or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Resize ShadowStorage volume", "author": "Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "description": "The following analytic identifies the resizing of shadow storage volumes, a technique used by ransomware like CLOP to prevent the recreation of shadow volumes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"vssadmin.exe\" with parameters related to resizing shadow storage. This activity is significant as it indicates an attempt to hinder recovery efforts by manipulating shadow copies. If confirmed malicious, this could lead to successful ransomware deployment, making data recovery difficult and increasing the potential for data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Revil Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "85facebe-c382-11eb-9c3e-acde48001122", "description": "The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as \"-nolan\", \"-nolocal\", \"-fast\", and \"-full\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Revil Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "description": "The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rubeus Command Line Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "cca37478-8377-11ec-b59a-acde48001122", "description": "The following analytic detects the use of Rubeus command line parameters, a toolset for Kerberos attacks within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as Rubeus is commonly used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Rubeus command line parameters were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "5ed8c50a-8869-11ec-876f-acde48001122", "description": "The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Runas Execution in CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "4807e716-43a4-11ec-a0e7-acde48001122", "description": "The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "elevated process using runas on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134", "T1134.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Control RunDLL Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "description": "The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "description": "The following analytic detects the execution of rundll32.exe with the `Control_RunDLL` command, loading files from world-writable directories such as windows\\temp, programdata, or appdata. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process command-line data and specific directory paths. This activity is significant as it may indicate an attempt to exploit CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Create Remote Thread To A Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "description": "The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "f8a22586-ee2d-11eb-a193-acde48001122", "description": "The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 DNSQuery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ made a DNS query for $query$ from host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 LockWorkStation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "fa90f372-f91d-11eb-816c-acde48001122", "description": "The following analytic detects the execution of the rundll32.exe command with the user32.dll,LockWorkStation parameter, which is used to lock the workstation via command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is an uncommon method to lock a screen and has been observed in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique could indicate an attempt to evade detection and hinder incident response efforts.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "6338266a-ee2a-11eb-bf68-acde48001122", "description": "The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "rundll32 process drops a file $file_name$ on host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 Shimcache Flush", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "a913718a-25b6-11ec-96d3-acde48001122", "description": "The following analytic detects the execution of a suspicious rundll32 command line used to clear the shim cache. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because clearing the shim cache is an anti-forensic technique aimed at evading detection and removing forensic artifacts. If confirmed malicious, this action could hinder incident response efforts, allowing an attacker to cover their tracks and maintain persistence on the compromised machine.", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"analytic_story": ["Living Off The Land", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-21", "version": 5, "id": "35307032-a12d-11eb-835f-acde48001122", "description": "The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "RunDLL Loading DLL By Ordinal", "author": "Michael Haag, David Dorsey, Splunk", "date": "2024-05-20", "version": 7, "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "description": "The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ryuk Test Files Detected", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 2, "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "description": "The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A creation of ryuk test file $file_path$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ryuk Wake on LAN Command", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "538d0152-7aaa-11eb-beaa-acde48001122", "description": "The following analytic detects the use of Wake-on-LAN commands associated with Ryuk ransomware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line activities. This behavior is significant as Ryuk ransomware uses Wake-on-LAN to power on devices in a compromised network, increasing its encryption success rate. If confirmed malicious, this activity could lead to widespread ransomware encryption across multiple endpoints, causing significant operational disruption and data loss. Immediate isolation and thorough investigation of the affected endpoints are crucial to mitigate the impact.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no known false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SAM Database File Access Attempt", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "57551656-ebdb-11eb-afdf-acde48001122", "description": "The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\\system32\\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "ObjectName", "type": "File", "role": ["Attacker"]}], "message": "The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` (EventCode=4663) ProcessName!=*\\\\dllhost.exe ObjectName IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Samsam Test File Write", "author": "Rico Valdez, Splunk", "date": "2024-05-14", "version": 2, "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "description": "The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sc exe Manipulating Windows Services", "author": "Rico Valdez, Splunk", "date": "2024-05-20", "version": 5, "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "description": "The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "991eb510-0fc6-11ec-82d3-acde48001122", "description": "The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $Image$ create a file $TargetFilename$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Schedule Task with HTTP Command Arguments", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "523c2684-a101-11eb-916b-acde48001122", "description": "The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"analytic_story": ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "description": "The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "4be54858-432f-11ec-8209-3e22fbd008af", "description": "The following analytic detects the creation of scheduled tasks on remote Windows endpoints using the at.exe command. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events involving at.exe with remote command-line arguments. Identifying this activity is significant for a SOC as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this activity could lead to unauthorized access, persistence, or execution of malicious code, potentially resulting in data theft or further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 7, "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "description": "The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "description": "The following analytic detects the use of 'schtasks.exe' to start a Scheduled Task on a remote endpoint. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process details such as process name, parent process, and command-line executions. This activity is significant as adversaries often abuse Task Scheduler for lateral movement and remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary code remotely, potentially leading to further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks Run Task On Demand", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "bb37061e-af1f-11eb-a159-acde48001122", "description": "The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks scheduling job on remote system", "author": "David Dorsey, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 7, "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "description": "The following analytic detects the use of 'schtasks.exe' to create a scheduled task on a remote system, indicating potential lateral movement or remote code execution. It leverages process data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments and flags. This activity is significant as it may signify an adversary's attempt to persist or execute code remotely. If confirmed malicious, this could allow attackers to maintain access, execute arbitrary commands, or further infiltrate the network, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks used for forcing a reboot", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 5, "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "description": "The following analytic detects the use of 'schtasks.exe' to schedule forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint process data to identify instances where these specific command-line arguments are used. This activity is significant because it may indicate an adversary attempting to disrupt operations or force a reboot to execute further malicious actions. If confirmed malicious, this could lead to system downtime, potential data loss, and provide an attacker with an opportunity to execute additional payloads or evade detection.", "references": [], "tags": {"analytic_story": ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Screensaver Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "description": "The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546", "T1546.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Script Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "description": "The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process_name$ that execute script in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sdclt UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 4, "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "description": "The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sdelete Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "31702fc0-2682-11ec-85c3-acde48001122", "description": "The following analytic detects the execution of the sdelete.exe application, a Sysinternals tool often used by adversaries to securely delete files and remove forensic evidence from a targeted host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as sdelete.exe is not commonly used in regular operations and its presence may indicate an attempt to cover malicious activities. If confirmed malicious, this could lead to the loss of critical forensic data, hindering incident response and investigation efforts.", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "sdelete process $process_name$ executed in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may execute and use this application", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SearchProtocolHost with no Command Line with Network", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 4, "id": "b690df8c-a145-11eb-a38b-acde48001122", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments but with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because searchprotocolhost.exe typically runs with specific command line arguments, and deviations from this norm can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to establish network connections for command and control, potentially leading to data exfiltration or further system compromise.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "5672819c-be09-11eb-bbfb-acde48001122", "description": "The following analytic detects the potential use of the secretsdump.py tool to dump NTLM hashes from a copy of ntds.dit and the SAM, SYSTEM, and SECURITY registry hives. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and process names associated with secretsdump.py. This activity is significant because it indicates an attempt to extract sensitive credential information offline, which is a common post-exploitation technique. If confirmed malicious, this could allow an attacker to obtain NTLM hashes, facilitating further lateral movement and potential privilege escalation within the network.", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "13243068-2d38-11ec-8908-acde48001122", "description": "The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of attempting to identify service principle detected on $dest$ names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "description": "The following analytic detects the use of `setspn.exe` to query the domain for Service Principal Names (SPNs). This detection leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with `setspn.exe`. Monitoring this activity is crucial as it often precedes Kerberoasting or Silver Ticket attacks, which can lead to credential theft. If confirmed malicious, an attacker could use the gathered SPNs to escalate privileges or persist within the environment, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services Escalate Exe", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "c448488c-b7ec-11eb-8253-acde48001122", "description": "The following analytic identifies the execution of a randomly named binary via `services.exe`, indicative of privilege escalation using Cobalt Strike's `svc-exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process lineage and command-line executions. This activity is significant as it often follows initial access, allowing adversaries to escalate privileges and establish persistence. If confirmed malicious, this behavior could enable attackers to execute arbitrary code, maintain long-term access, and potentially move laterally within the network, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "description": "The following analytic identifies `services.exe` spawning a LOLBAS (Living Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `services.exe` is the parent process. This activity is significant because adversaries often abuse the Service Control Manager to execute malicious code via native Windows binaries, facilitating lateral movement. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Services.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "author": "Steven Dick, Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 9, "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "description": "The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.", "references": [], "tags": {"analytic_story": ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database File Creation", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 4, "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "description": "The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\\AppPatch\\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database Installation With Suspicious Parameters", "author": "David Dorsey, Splunk", "date": "2024-05-09", "version": 5, "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "description": "The following analytic detects the execution of sdbinst.exe with parameters indicative of silently creating a shim database. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because shim databases can be used to intercept and manipulate API calls, potentially allowing attackers to bypass security controls or achieve persistence. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Scheduled Task", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "6fa31414-546e-11ec-adfa-acde48001122", "description": "The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created and deleted in 30 seconds on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Short Lived Windows Accounts", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 4, "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "description": "The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame. It leverages the \"Change\" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user account created or delete shortly in host $dest$", "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SilentCleanup UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "description": "The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path \"*\\\\Environment\\\\windir\" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence.", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Single Letter Process On Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "description": "The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with single letter in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI RunAs Elevated", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "8d124810-b3e4-11eb-96c7-acde48001122", "description": "The following analytic detects the execution of the Microsoft Software Licensing User Interface Tool (`slui.exe`) with elevated privileges using the `-verb runas` function. This activity is identified through logs from Endpoint Detection and Response (EDR) agents, focusing on specific registry keys and command-line parameters. This behavior is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to gain elevated access and execute malicious actions with higher privileges. If confirmed malicious, this could lead to unauthorized system changes, data exfiltration, or further compromise of the affected endpoint.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "description": "The following analytic detects the Microsoft Software Licensing User Interface Tool (`slui.exe`) spawning a child process. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `slui.exe` is the parent process. This activity is significant because `slui.exe` should not typically spawn child processes, and doing so may indicate a UAC bypass attempt, leading to elevated privileges. If confirmed malicious, an attacker could leverage this to execute code with elevated privileges, potentially compromising the system's security and gaining unauthorized access.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spike in File Writes", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 4, "id": "fdb0f805-74e4-4539-8c00-618927333aae", "description": "The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.", "references": [], "tags": {"analytic_story": ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Spawning Rundll32", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "15d905f6-da6b-11eb-ab82-acde48001122", "description": "The following analytic detects the spawning of `rundll32.exe` without command-line arguments by `spoolsv.exe`, which is unusual and potentially indicative of exploitation attempts like CVE-2021-34527 (PrintNightmare). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `spoolsv.exe` is the parent process. This activity is significant as `spoolsv.exe` typically does not spawn other processes, and such behavior could indicate an active exploitation attempt. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised endpoint.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Loaded Modules", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5e451f8-da81-11eb-b245-acde48001122", "description": "The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Spoolsv Suspicious Process Access", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "799b606e-da81-11eb-93f8-acde48001122", "description": "The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Spoolsv Writing a DLL", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages the Endpoint datamodel, specifically monitoring process and filesystem events to identify `.dll` file creation within the `\\spool\\drivers\\x64\\` path. This activity is significant as it may signify an attacker attempting to execute malicious code via the Print Spooler service. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. Immediate endpoint isolation and further investigation are recommended.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "347fd388-da87-11eb-836d-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the `\\spool\\drivers\\x64\\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Sqlite Module In Temp Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0f216a38-f45f-11eb-b09c-acde48001122", "description": "The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $file_name$ in host $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "description": "The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sunburst Correlation DLL and Network Event", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "701a8740-e8db-40df-9190-5516d3819787", "description": "The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Computer Account Name Change", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "description": "The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "OldTargetUserName", "type": "User", "role": ["Victim"]}], "message": "A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\" | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Copy on System32", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "ce633e56-25b2-11ec-9e76-acde48001122", "description": "The following analytic detects suspicious file copy operations from the System32 or SysWow64 directories, often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by command-line tools like cmd.exe or PowerShell. This behavior is significant as it may indicate an attempt to execute malicious code using legitimate system tools (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise or further lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Execution of copy exe to copy file from $process$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036.003", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "every user may do this event but very un-ussual.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Curl Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "description": "The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 5, "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "description": "The following analytic detects instances of DLLHost.exe executing without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because DLLHost.exe typically requires arguments to function correctly, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized actions like credential dumping or file manipulation, posing a severe threat to the environment.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Driver Loaded Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "description": "The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious driver $file_name$ on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Event Log Service Behavior", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "description": "The following analytic detects the shutdown of the Windows Event Log service using Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Windows Event Log Service shutdown on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "description": "The following analytic detects the execution of gpupdate.exe without any command line arguments. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute unauthorized commands or scripts, potentially leading to further system compromise or lateral movement within the network.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` command line used to execute a DLL file, a technique associated with IcedID malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing the pattern `*/i:*`. This activity is significant as it indicates potential malware attempting to load an encrypted DLL payload, often named `license.dat`. If confirmed malicious, this could allow attackers to execute arbitrary code, leading to further system compromise and potential data exfiltration.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Image Creation In Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "description": "The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Kerberos Service Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "description": "The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,\"@\"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Linux Discovery Commands", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "0edd5112-56c9-11ec-b990-acde48001122", "description": "The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Linux Discovery Commands detected on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler rename", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 6, "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "description": "The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1127", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler usage", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 3, "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "description": "The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious msbuild path", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f5198224-551c-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Rename", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 5, "id": "4006adac-5937-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Spawn", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 3, "id": "a115fba6-5514-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127", "T1127.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta child process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "60023bb6-5500-11eb-ae93-0242ac130002", "description": "The following analytic identifies child processes spawned from \"mshta.exe\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like \"powershell.exe\" and \"cmd.exe\". This activity is significant because \"mshta.exe\" is often exploited by attackers to execute malicious scripts or commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Monitoring this activity helps in early detection of potential threats leveraging \"mshta.exe\" for malicious purposes.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta spawn", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "description": "The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "description": "The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.001", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "description": "The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.001", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "description": "The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon Event ID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*api.telegram*\",\"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\",\"cscript.exe\") OR Image IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Process Executed From Container File", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "description": "The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://attack.mitre.org/techniques/T1204/002/"], "tags": {"analytic_story": ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204.002", "T1036.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Various business process or userland applications and behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_executed_from_container_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "9be25988-ad82-11eb-a14f-acde48001122", "description": "The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process With Discord DNS Query", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "4d4332ae-792c-11ec-89c1-acde48001122", "description": "The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing \"discord\" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Reg exe Process", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 5, "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 4, "id": "62732736-6250-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 dllregisterserver", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "description": "The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 4, "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "description": "The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 PluginInit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "92d51712-ee29-11eb-b1ae-acde48001122", "description": "The following analytic identifies the execution of the rundll32.exe process with the \"plugininit\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the \"plugininit\" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party application may used this dll export name to execute function.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 StartW", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 4, "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "description": "The following analytic identifies the execution of rundll32.exe with the DLL function names \"Start\" and \"StartW,\" commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Scheduled Task from Public Directory", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "description": "The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\\public, \\programdata\\, or \\windows\\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "description": "The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1074"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Ticket Granting Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d77d349e-6269-11ec-9cfe-acde48001122", "description": "The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious TGT was requested was requested by $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` (EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\") OR (EventCode=4768 TargetUserName!=\"*$\") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious WAV file in Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "5be109e6-1ac5-11ec-b421-acde48001122", "description": "The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious wevtutil Usage", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 5, "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "description": "The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.001", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to windows Recycle Bin", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "description": "The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "PlugX"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious writes to windows Recycle Bin process $process_name$ on $dest$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "description": "The following analytic detects instances of 'svchost.exe' spawning Living Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection and Response (EDR) data to monitor child processes of 'svchost.exe' that match known LOLBAS executables. This activity is significant as adversaries often use LOLBAS techniques to execute malicious code stealthily, potentially indicating lateral movement or code execution attempts. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Info Gathering Using Dxdiag Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f92d74f2-4921-11ec-b685-acde48001122", "description": "The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "dxdiag.exe process with commandline $process$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Information Discovery Detection", "author": "Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 4, "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "description": "The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential system information discovery behavior on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators debugging servers", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Processes Run From Unexpected Locations", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-25", "version": 7, "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "description": "The following analytic identifies system processes running from unexpected locations outside `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"analytic_story": ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_windows_system_file_macro", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Query", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "description": "The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Whoami", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "description": "The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Time Provider Persistence Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 5, "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "description": "The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.003", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Trickbot Named Pipe", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "1804b0a4-a682-11eb-8f68-acde48001122", "description": "The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Possible Trickbot namedpipe created on $dest$ by $process_name$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "description": "The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass With Colorui COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "description": "The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uninstall App Using MsiExec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "description": "The following analytic detects the uninstallation of applications using msiexec with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it is an uncommon practice in enterprise environments and has been associated with malicious behavior, such as disabling antivirus software. If confirmed malicious, this could allow an attacker to remove security software, potentially leading to further compromise and persistence within the network.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unknown Process Using The Kerberos Protocol", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 3, "id": "c91a0852-9fbb-11ec-af44-acde48001122", "description": "The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Unknown process $process_name$ using the kerberos protocol detected on host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unload Sysmon Filter Driver", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 5, "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "description": "The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment.", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Sysmon filter driver unloading on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | table firstTime lastTime dest user count process_name process_id parent_process_name process | `unload_sysmon_filter_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown at the moment", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unloading AMSI via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "a21e3484-c94d-11eb-b55b-acde48001122", "description": "The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "description": "The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, \"A Kerberos service ticket was requested.\" It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "message": "", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "eb3e6702-8936-11ec-98fe-acde48001122", "description": "The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Endpoint", "role": ["Victim"]}], "message": "tbd", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName!=\"*$\" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "acb5dc74-5324-11ec-a36d-acde48001122", "description": "The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "target_hosts", "type": "Endpoint", "role": ["Victim"]}], "message": "Unusual number of remote authentication events from $Source_Network_Address$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusually Long Command Line", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "description": "The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Unusually long command line $process_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications start with long command lines.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "description": "The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "description": "The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System user discovery on endpoint $dest$ by user $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "USN Journal Deletion", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 3, "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "description": "The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.", "references": [], "tags": {"analytic_story": ["Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible USN journal deletion on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Vbscript Execution Using Wscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "35159940-228f-11ec-8a49-acde48001122", "description": "The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because wscript.exe is typically not used to execute VBScript, which is usually associated with cscript.exe. This deviation can indicate an attempt to evade traditional process monitoring and antivirus defenses. If confirmed malicious, this technique could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Verclsid CLSID Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "description": "The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.012", "T1218"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "windows can used this application for its normal COM object validation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "W3WP Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "description": "The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is W3WP.exe. This activity is significant as it may indicate webshell activity, often associated with exploitation attempts like those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Web Shell execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WBAdmin Delete System Backups", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"analytic_story": ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System backups deletion on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wbemprox COM Object Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "9d911ce0-c3be-11eb-b177-acde48001122", "description": "The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious COM Object Execution on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "ed313326-a0f9-11eb-a89c-acde48001122", "description": "The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe process connecting IP location web services on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1590", "T1590.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Create Executable File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "ab3bcce0-a105-11eb-973c-acde48001122", "description": "The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe writing executable files on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e8fc95bc-a107-11eb-a978-acde48001122", "description": "The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Qakbot", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe spawning suspicious processes on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wget Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "35682718-5a85-11ec-b8f7-acde48001122", "description": "The following analytic detects the use of wget on Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Abused Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "description": "The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "a network connection on known abused web services from $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1102"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\",\"\"*textbin*\"\", \"*ngrok.io*\", \"*discord*\", \"*duckdns.org*\", \"*pasteio.com*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_abused_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "6ece9ed0-5f92-4315-889d-48560472b188", "description": "The following analytic detects a process enabling the \"SeDebugPrivilege\" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.002", "T1134"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "description": "The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.001", "T1134"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "description": "The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.001", "T1134"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for None Disable User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://powersploit.readthedocs.io/en/stable/Recon/README/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview", "https://atomicredteam.io/discovery/T1087.001/"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*NOT_ACCOUNTDISABLE*\" ScriptBlockText = \"*-UACFilter*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_none_disable_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for Sam Account Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for \"samaccountname\" and \"pwdlastset\" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for Sam Account Name on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText IN (\"*samaccountname*\", \"*pwdlastset*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_sam_account_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*-PreauthNotRequire*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_with_netuser_preauthnotrequire_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Abnormal Object Access Activity", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "description": "The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_ad_abnormal_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "description": "The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Cross Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-11", "version": 2, "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "description": "The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AD Domain Controller Promotion", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "description": "The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "AD Domain Controller Promotion Event Detected for $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Domain Replication ACL Addition", "author": "Dean Luxton", "date": "2024-05-16", "version": 2, "id": "8c372853-f459-4995-afdc-280c114d33ab", "description": "The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1484"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD DSRM Account Changes", "author": "Dean Luxton", "date": "2024-05-24", "version": 3, "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "description": "The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Disaster recovery events.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Password Reset", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "description": "The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Password was reset on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Account SID History Addition", "author": "Dean Luxton", "date": "2024-05-26", "version": 3, "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "description": "The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Privileged Object Access Activity", "author": "Steven Dick", "date": "2024-05-18", "version": 2, "id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "description": "The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object_name", "type": "Other", "role": ["Attacker"]}], "message": "The account $user$ accessed $object_count$ privileged AD object(s).", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_ad_privileged_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated by User Account", "author": "Dean Luxton", "date": "2024-05-16", "version": 3, "id": "51307514-1236-49f6-8686-d46d93cc2821", "description": "The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.006", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "author": "Dean Luxton", "date": "2024-05-20", "version": 4, "id": "50998483-bb15-457b-a870-965080d9e3d3", "description": "The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.006", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Same Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-22", "version": 3, "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute can be abused by adversaries to grant unauthorized access by inheriting permissions from another account. If confirmed malicious, this could allow attackers to maintain persistent access or escalate privileges within the domain, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "description": "The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $ObjectDN$ was set by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "description": "The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $user$ was set and shortly deleted", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "author": "Dean Luxton", "date": "2024-05-11", "version": 4, "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "description": "The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Server Object", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "description": "The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Potential DCShadow Attack Detected on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD SID History Attribute Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "1155e47d-307f-4247-beab-71071e3a458c", "description": "The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1134", "T1134.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AdFind Exe", "author": "Jose Hernandez, Bhavin Patel, Splunk", "date": "2024-05-13", "version": 4, "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "description": "The following analytic identifies the execution of `adfind.exe` with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows AdFind Exe", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admin Permission Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e08620cb-9488-4052-832d-97bcc0afd414", "description": "The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file was created in root drive C:/ on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\", \"*.dll\", \"*.sys\", \"*.com\", \"*.vbs\", \"*.vbe\", \"*.js\", \"*.bat\", \"*.cmd\", \"*.pif\", \"*.lnk\", \"*.dat\") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"C:\") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_admin_permission_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "description": "The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Admon Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "83458004-db60-4170-857d-8572f16f070b", "description": "The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the \"Default Domain Policy\" and \"Default Domain Controllers Policy.\" This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A default domain group policy was updated on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Group Policy Object Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "69201633-30d9-48ef-b1b6-e680805f0582", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default \"New Group Policy Object\" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A new group policy objected was created on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Base64 Content", "author": "Steven Dick, Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "683f48de-982f-4a7e-9aac-9cec550da498", "description": "The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.", "references": ["https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://blog.netwrix.com/2022/12/16/alternate_data_stream/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-stream-creation-hash.md"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1564", "T1564.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 NOT Contents IN (\"-\",\"[ZoneTransfer]*\") | regex TargetFilename=\"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "arguments": ["b64in"]}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_alternate_datastream___base64_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Executable Content", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "a258bf2a-34fd-4986-8086-78f506e00206", "description": "The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.", "references": ["https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "file_hash", "type": "File Hash", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1564", "T1564.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 | regex TargetFilename=\"(? upperBound, \"Yes\", \"No\") | where anomaly=\"Yes\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP.", "known_false_positives": "False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_applocker_execution_from_uncommon_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 2, "id": "bca48629-7fa2-40d3-9e5d-807564504e28", "description": "The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to bypass application restrictions was detected on a host $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk.", "known_false_positives": "False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes.", "filename": "applockereventcodes.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "description": "The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An application launch that deviates from the norm was detected on a host $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there.", "known_false_positives": "False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_rare_application_launch_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "description": "The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Archive Collected Data via Powershell on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Compress-Archive*\" ScriptBlockText = \"*\\\\Temp\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to archive data.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_archive_collected_data_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Rar", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "2015de95-fe91-413d-9d62-2fe011b67e82", "description": "The following analytic identifies the execution of RAR utilities to archive files on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line arguments. This activity is significant as threat actors, including red-teamers and malware like DarkGate, use RAR archiving to compress and exfiltrate collected data from compromised hosts. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive information to command and control servers, posing a severe risk to data confidentiality and integrity.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a Rar.exe commandline used in archiving collected data in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"Rar.exe\" OR Processes.original_file_name = \"Rar.exe\" AND Processes.process = \"*a*\" Processes.process = \"* -ep1*\" Processes.process = \"* -r*\" Processes.process = \"* -y*\" Processes.process = \"* -v5m*\" Processes.process = \"* -m1*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_archive_collected_data_via_rar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AutoIt3 Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "description": "The following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows GUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for process names or original file names matching 'autoit3.exe'. This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this activity could lead to unauthorized code execution, system compromise, or further propagation of malware within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Other"]}], "message": "Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autoit3_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "description": "The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "description": "The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.013", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "99d157cb-923f-4a00-aee9-1f385412146f", "description": "The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process dropped a file in %startup% folder in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows BootLoader Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "description": "The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of BootLoaders are present on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1542.001", "T1542"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "description": "The following analytic detects the execution of the deprecated 'pkgmgr.exe' process with an XML input file, which is unusual and potentially suspicious. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution details and command-line arguments. The significance lies in the deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity could allow an attacker to execute commands with elevated privileges, leading to potential system compromise and unauthorized changes.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A pkgmgr.exe executed with package manager xml input file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = \"*.xml*\" NOT(Processes.parent_process_path IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"*:\\\\Program Files*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_bypass_uac_via_pkgmgr_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows CAB File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "622f08d0-69ef-42c2-8139-66088bc25acd", "description": "The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A .cab file was written to disk on endpoint $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cab_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Cached Domain Credentials Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "description": "The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.005", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Change Default File Association For No File Ext", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "description": "The following analytic detects attempts to change the default file association for files without an extension to open with Notepad.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and registry modifications. This activity is significant as it can indicate an attempt to manipulate file handling behavior, a technique observed in APT and ransomware attacks like Prestige. If confirmed malicious, this could allow attackers to execute arbitrary code by tricking users into opening files, potentially leading to system compromise or data exfiltration.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1546.001", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "ab73289e-2246-4de0-a14b-67006c72a893", "description": "The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1115"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "description": "The following analytic detects the modification of the InProcServer32 registry key by reg.exe, indicative of potential COM hijacking. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. COM hijacking is significant as it allows adversaries to insert malicious code that executes in place of legitimate software, providing a means for persistence. If confirmed malicious, this activity could enable attackers to execute arbitrary code, disrupt legitimate system components, and maintain long-term access to the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.015", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and some filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "description": "The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of \"/..\", \"\\..\", or \"\\\\..\". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "description": "The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Not known at this moment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "description": "The following analytic detects the execution of a DCRat \"forkbomb\" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.003", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell Fetch Env Variables", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "description": "The following analytic identifies a suspicious process command line fetching environment variables with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity is significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "description": "The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.", "references": ["https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", "https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "series of process commandline being abused by threat actor have been identified on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*Cmdline Tool Not Executed In CMD Shell*\", \"*Windows System Network Config Discovery Display DNS*\", \"*Local Account Discovery With Wmic*\", \"*Net Localgroup Discovery*\", \"*Create local admin accounts using net exe*\", \"*Local Account Discovery with Net*\", \"*Icacls Deny Command*\", \"*ICACLS Grant Command*\", \"*Windows Proxy Via Netsh*\", \"*Processes launching netsh*\", \"*Disabling Firewall with Netsh*\", \"*Windows System Network Connections Discovery Netsh*\", \"*Network Connection Discovery With Arp*\", \"*Windows System Discovery Using ldap Nslookup*\", \"*Windows System Shutdown CommandLine*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_common_abused_cmd_shell_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Created by Computer Account", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "description": "The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) \"RestrictedKrbHost\". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack).", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!=\"NT AUTHORITY\" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "description": "The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Computer Account With SPN", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "description": "The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 NewUacValue=\"0x80\" ServicePrincipalNames IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows ConHost with Headless Argument", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "description": "The following analytic detects the unusual invocation of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring for command-line executions where conhost.exe is executed with the --headless argument. This activity is significant for a SOC as it is not commonly used in legitimate operations and may indicate an attacker's attempt to execute commands stealthily. If confirmed malicious, this behavior could lead to persistence, lateral movement, or other malicious activities, potentially resulting in data exfiltration or system compromise.", "references": ["https://x.com/embee_research/status/1559410767564181504?s=20", "https://x.com/GroupIB_TI/status/1719675754886131959?s=20"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows ConHost with Headless Argument detected on $dest$ by $user$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1564.003", "T1564.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process=\"*--headless *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_conhost_with_headless_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Create Local Account", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "description": "The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following $user$ was added to $dest$ as a local account.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credential Access From Browser Password Store", "author": "Teoderick Contreras, Bhavin Patel Splunk", "date": "2024-05-29", "version": 2, "id": "72013a8e-5cea-408a-9d51-5585386b4d69", "description": "The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-common browser process $process_name$ accessing browser user data folder on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name \"(?[^\\\\\\\\]+)$\" | eval isMalicious=if(match(browser_process_name, extracted_process_name), \"0\", \"1\") | where isMalicious=1 and isAllowed=\"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\" This search may trigger on a browser application that is not included in the browser_app_list lookup file.", "known_false_positives": "The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credential_access_from_browser_password_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction.", "filename": "browser_app_list.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "description": "The following analytic detects the use of CreateDump.exe to perform a process dump. This binary is not native to Windows and is often introduced by third-party applications, including PowerShell 7. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete command-line executions. This activity is significant as it may indicate an attempt to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, this could lead to unauthorized access and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "description": "The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "description": "The following analytic detects non-Chrome processes accessing the Chrome \"Local State\" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "description": "The following analytic identifies non-Chrome processes accessing the Chrome user data file \"login data.\" This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is used to create stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because cmdkey.exe is often abused by post-exploitation tools and malware, such as Darkgate, to gain unauthorized access. If confirmed malicious, this behavior could allow attackers to escalate privileges and maintain persistence on the targeted host, facilitating further attacks and potential data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to create stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/generic*\" Processes.process IN (\"*/user*\", \"*/password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to delete stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/delete*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is often abused by post-exploitation tools like winpeas, commonly used in ransomware attacks to list stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it indicates potential credential harvesting, which can lead to privilege escalation and persistence. If confirmed malicious, attackers could gain unauthorized access to sensitive information and maintain control over compromised systems for further exploitation.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials in Registry Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "description": "The following analytic identifies processes querying the registry for potential passwords or credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that access specific registry paths known to store sensitive information. This activity is significant as it may indicate credential theft attempts, often used by adversaries or post-exploitation tools like winPEAS. If confirmed malicious, this behavior could lead to privilege escalation, persistence, or lateral movement within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "reg query commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Download to Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "c32f091e-30db-11ec-8738-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to download a file to a suspicious location, such as AppData, ProgramData, or Public directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include the -O or --output options. This activity is significant because downloading files to these locations can indicate an attempt to bypass security controls or establish persistence. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further compromise of the system.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"analytic_story": ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Upload to Remote Destination", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "42f8f1a2-4228-11ec-aade-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-24", "version": 3, "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "description": "The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"analytic_story": ["Data Destruction", "Swift Slicer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Debugger Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "e14d94a3-07fb-4b47-8406-f5e37180d422", "description": "This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a debugger $process_name$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"x32dbg.exe\" OR Processes.process_name = \"x64dbg.exe\" OR Processes.process_name = \"windbg.exe\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or IT professional may execute this application for verifying files or debugging application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_debugger_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "description": "The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1491"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defender ASR Audit Events", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "description": "This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR audit event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1566.001", "T1566.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_audit_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Block Events", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "026f5f4e-e99f-4155-9e63-911ba587300b", "description": "This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR block event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1566.001", "T1566.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_block_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "description": "The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR registry modification event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rule Disabled", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR rule disabled event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | search New_Registry_Value=\"Disabled\" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rule_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rules Stacking", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "description": "The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An ASR rule, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566.001", "T1566.002", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired.", "known_false_positives": "False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rules_stacking_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender Exclusion Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 4, "id": "13395a44-4dd9-11ec-9df7-acde48001122", "description": "The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Delete or Modify System Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "description": "The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ deleted a firewall configuration on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* firewall *\" Processes.process = \"* delete *\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may modify or delete firewall configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_delete_or_modify_system_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "description": "The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Change Password Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "datamodel": ["Endpoint", "Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 4, "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable LogOff Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"NoLogOff\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Memory Crash Dump", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "59e54602-9680-11ec-a8a6-acde48001122", "description": "The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process was identified attempting to disable memory crash dumps on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Notification Center", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows notification center was disabled on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "description": "The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "A taskkill process to terminate process is executed on host- $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" Processes.process IN (\"* /f*\", \"* /t*\") Processes.process IN (\"* /im*\", \"* /pid*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Network administrator can use this application to kill process during audit or investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_or_modify_tools_via_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Shutdown Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "description": "The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "description": "The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.002", "T1562", "T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "63a449ae-9f04-11ec-945e-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to disable windows group policy features on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DisableAntiSpyware Registry", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "23150a40-9301-4195-b802-5bb4f43067fb", "description": "The following analytic detects the modification of the Windows Registry key \"DisableAntiSpyware\" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"DisableAntiSpyware\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"analytic_story": ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DiskCryptor Usage", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "description": "The following analytic detects the execution of DiskCryptor, identified by the process names \"dcrypt.exe\" or \"dcinst.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Diskshadow Proxy Execution", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "description": "The following analytic detects the use of DiskShadow.exe in scripting mode, which can execute arbitrary unsigned code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions with scripting mode flags. This activity is significant because DiskShadow.exe is typically used for legitimate backup operations, but its misuse can indicate an attempt to execute unauthorized code. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Signed Binary Proxy Execution on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DISM Remove Defender", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "8567da9e-47f0-11ec-99a9-acde48001122", "description": "The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "description": "The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "description": "The following analytic detects DLL search order hijacking involving iscsicpl.exe. It identifies when iscsicpl.exe loads a malicious DLL from a new path, triggering the payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on child processes spawned by iscsicpl.exe. This activity is significant as it indicates a potential attempt to execute unauthorized code via DLL hijacking. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows DLL Side-Loading In Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "af01f6db-26ac-440e-8d89-2793e303f137", "description": "The following analytic detects suspicious DLL modules loaded by calc.exe that are not located in the %systemroot%\\system32 or %systemroot%\\sysWoW64 directories. This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique often used by Qakbot malware to execute malicious DLLs. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "description": "The following analytic identifies suspicious child processes spawned by calc.exe, indicative of DLL side-loading techniques. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. This activity is significant as it is commonly associated with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "calc.exe has a child process $process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DNS Gather Network Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "description": "The following analytic detects the use of the dnscmd.exe command to enumerate DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This activity is significant as it may indicate an adversary gathering network information, a common precursor to more targeted attacks. If confirmed malicious, this behavior could enable attackers to map the network, identify critical assets, and plan subsequent actions, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process commandline $process$ to enumerate dns record in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1590.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DnsAdmins New Member Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "description": "The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A new member $user$ added to the DnsAdmins group by $src_user$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as \"samaccountname,\" \"accountexpires,\" \"lastlogon,\" and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Domain Account Discovery Via Get-NetComputer in $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetComputer*\" ScriptBlockText IN (\"*samaccountname*\", \"*accountexpires*\", \"*lastlogon*\", \"*lastlogoff*\", \"*pwdlastset*\", \"*logoncount*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_domain_account_discovery_via_get_netcomputer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Admin Impersonation Indicator", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "description": "The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.", "references": ["https://trustedsec.com/blog/a-diamond-in-the-ruff", "https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks", "https://github.com/GhostPack/Rubeus/pull/136", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetUserName", "type": "User", "role": ["Victim"]}], "message": "$TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN (\"*$\", \"SYSTEM\", \"DWM-*\",\"LOCAL SERVICE\",\"NETWORK SERVICE\", \"ANONYMOUS LOGON\", \"UMFD-*\") | where match(GroupMembership, \"Domain Admins\") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = \"NotDA\" | `windows_domain_admin_impersonation_indicator_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table.", "known_false_positives": "False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_domain_admin_impersonation_indicator_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "domain_admins", "description": "List of domain admins", "filename": "domain_admins.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Windows DotNet Binary in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "fddf3b56-7933-11ec-98a6-acde48001122", "description": "The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system. It leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup using the `is_net_windows_file_macro` macro. This activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "is_net_windows_file_macro", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "description": "The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Drivers have been identified on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Load Non-Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "9216ef3d-066a-4958-8f27-c84589465e62", "description": "The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1014", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Drivers Loaded by Signature", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "description": "The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A driver has loaded on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1014", "T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "description": "The following analytic detects the creation of a new DWORD value named \"EnableAt\" in the registry path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event For Service Disabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 4, "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "description": "The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["RedLine Stealer", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Service $ServiceName$ was disabled on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_system` EventCode=7040 EventData_Xml=\"*disabled*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Event Log Cleared", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-12", "version": 8, "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "description": "The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "description": "The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Excessive Disabled Services Event", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "c3f85976-94a5-11ec-9a58-acde48001122", "description": "The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7040 \"disabled\" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest | where count >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Executable in Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "3e27af56-fcf0-4113-988d-24969b062be7", "description": "The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An executable $ImageLoaded$ loaded by $Image$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1129"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_executable_in_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "description": "The following analytic detects arbitrary command execution using Windows msdt.exe, a Diagnostics Troubleshooting Wizard. It leverages Endpoint Detection and Response (EDR) data to identify instances where msdt.exe is invoked via the ms-msdt:/ protocol handler to retrieve a remote payload. This activity is significant as it can indicate an exploitation attempt leveraging msdt.exe to execute arbitrary commands, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe security risk.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "description": "The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "description": "The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "description": "The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Share Discovery With Powerview", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "description": "The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "description": "The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Without Extension In Critical Folder", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "0dbcac64-963c-11ec-bf04-acde48001122", "description": "The following analytic detects the creation of files without extensions in critical folders like \"System32\\Drivers.\" It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "c76b796c-27e1-4520-91c4-4a58695c749e", "description": "The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222.001", "T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\") AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "description": "The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_domain_organizational_units_with_getdomainou_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "description": "The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Findstr GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "description": "The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Findstr was executed to discover GPP credentials on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552", "T1552.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Forest Discovery with GetForestDomain", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "description": "The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_forest_discovery_with_getforestdomain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Host Information Camera", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "description": "The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Powershell script to enumerate camera detected on host - $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592.001", "T1592"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera on $dest$.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Identity SAM Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "description": "The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1589.001", "T1589"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "description": "The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like \"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process connecting IP location web services on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1590.005", "T1590"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.*\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\", \"*geoip.*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "c8640777-469f-4638-ab44-c34a3233ffac", "description": "The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADComputer*\" AND ScriptBlockText = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "d2988160-3ce9-4310-b59d-905334920cdd", "description": "The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_local_admin_with_findlocaladminaccess_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Group Policy Object Created", "author": "Mauricio Velazco", "date": "2024-05-17", "version": 2, "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "message": "A new group policy objected was created by $User$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1484", "T1484.001", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Hidden Schedule Task Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "description": "The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task with hidden setting enable in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Hide Notification Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to hide windows notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows High File Deletion Frequency", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-18", "version": 3, "id": "45b125c4-866f-11eb-a95a-acde48001122", "description": "The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Elevated file deletion rate observed from process [$process_name$] on machine $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") NOT TargetFilename IN (\"*\\\\INetCache\\\\Content.Outlook\\\\*\") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "description": "The following analytic detects a process loading a version.dll file from a directory other than %windir%\\system32 or %windir%\\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hunting System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "description": "The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Identify Protocol Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "description": "The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows IIS Components Add New Module", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "description": "The following analytic detects the execution of AppCmd.exe to install a new module in IIS. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it to install webshells or backdoors, leading to credit card scraping, persistence, and further post-exploitation. If confirmed malicious, this could allow attackers to maintain persistent access, execute arbitrary code, and potentially exfiltrate sensitive information from the compromised web server.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 2, "id": "20db5f70-34b4-4e83-8926-fa26119de173", "description": "The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "IIS Modules have been listed on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505.004", "T1505"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Module Failed to Load", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "description": "The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows IIS Components New Module Added", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "description": "The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "description": "The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" commands with the \"-XMLPolicy\" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker importing xml policy command was executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5211c260-820e-4366-b983-84bbfb5c263a", "description": "The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the \"ServiceKeepAlive\" registry path with a value of \"0x00000001\". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "change in the health check interval of Windows Defender on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\ServiceKeepAlive\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_health_check_intervals_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "description": "The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"QuickScanInterval\" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender QuickScanInterval feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Scan\\\\QuickScanInterval\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "description": "The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\ThrottleDetectionEventsRate\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_throttle_rate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "description": "The following analytic detects modifications to the Windows registry specifically targeting the \"WppTracingLevel\" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender WppTracingLevel registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\WppTracingLevel\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_tracing_level_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Configure App Install Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender App Install Control registry set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControl\" Registry.registry_value_data= \"Anywhere\") OR (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControlEnabled\" Registry.registry_value_data= \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_configure_app_install_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7215831c-8252-4ae3-8d43-db588e82f952", "description": "The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender threat action through registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Threats\\\\ThreatSeverityDefaultAction*\" Registry.registry_value_data IN (\"0x00000001\", \"9\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_define_win_defender_threat_action_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "description": "The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender context menu registry key deleted on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "description": "The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "description": "The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a \"Deny\" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "3032741c-d6fc-4c69-8988-be8043d6478c", "description": "The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ControlledFolderAccess feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_controlled_folder_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "description": "The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender firewall and network protection section feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender Security Center\\\\Firewall and network protection\\\\UILockdown\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_firewall_and_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableProtocolRecognition\" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Protocol Recognition set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\DisableProtocolRecognition\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_protocol_recognition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable PUA Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "description": "The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender PUA protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\PUAProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_pua_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "ffd99aea-542f-448e-b737-091c1b417274", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File realtime signature delivery set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\RealtimeSignatureDelivery\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_realtime_signature_delivery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "description": "The following analytic detects modifications to the Windows registry entry \"EnableWebContentEvaluation\" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to \"0x00000000\". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender web content evaluation feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\EnableWebContentEvaluation\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_web_evaluation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender AuditApplicationGuard feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\AppHVSI\\\\AuditApplicationGuard\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_app_guard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File hashes computation set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\MpEngine\\\\EnableFileHashComputation\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "description": "The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"DisableGenericRePorts\" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableGenericRePorts registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\DisableGenericRePorts\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_gen_reports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "8b6c15c7-5556-463d-83c7-986326c21f12", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Exploit Guard network protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Network Protection\\\\EnableNetworkProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_network_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"DontReportInfectionInformation\" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DontReportInfectionInformation registry is enabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\MRT\\\\DontReportInfectionInformation\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_report_infection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0418e72f-e710-4867-b656-0688e1523e09", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the \"DisableScanOnUpdate\" registry setting with a value of \"0x00000001\". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableScanOnUpdate feature set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\DisableScanOnUpdate\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_scan_on_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7567a72f-bada-489d-aef1-59743fb64a66", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableSignatureRetirement registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\DisableSignatureRetirement\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_signature_retirement_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Phishing Filter registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = \"*\\\\MicrosoftEdge\\\\PhishingFilter\" Registry.registry_value_name IN (\"EnabledV9\", \"PreventOverride\") Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_overide_win_defender_phishing_filter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "08058866-7987-486f-b042-275715ef6e9d", "description": "The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"PreventSmartScreenPromptOverride\" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen prompt was override on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Microsoft\\\\Edge\\\\PreventSmartScreenPromptOverride\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_override_smartscreen_prompt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "description": "The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to \"warn.\" This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to \"warn\" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen Level to Warn on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\System\\\\ShellSmartScreenLevel\" Registry.registry_value_data=\"Warn\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable HVCI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "description": "The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "HVCI has been disabled on $dest$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "description": "The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indicator Removal Via Rmdir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "c4566d2c-b094-48a1-9c59-d66e22065560", "description": "The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process execute rmdir command to delete files and directory tree in $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*rmdir*\" Processes.process = \"* /s *\" Processes.process = \"* /q *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indicator_removal_via_rmdir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via forfiles", "author": "Eric McGinnis, Splunk", "date": "2024-05-28", "version": 2, "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "description": "The following analytic detects the execution of programs initiated by forfiles.exe. This command is typically used to run commands on multiple files, often within batch scripts. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where forfiles.exe is the parent process. This activity is significant because forfiles.exe can be exploited to bypass command line execution protections, making it a potential vector for malicious activity. If confirmed malicious, this could allow attackers to execute arbitrary commands, potentially leading to unauthorized access or further system compromise.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"analytic_story": ["Living Off The Land", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The forfiles command (forfiles.exe) launched the process name - $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via pcalua", "author": "Eric McGinnis, Splunk", "date": "2024-05-10", "version": 2, "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "description": "The following analytic detects programs initiated by pcalua.exe, the Microsoft Windows Program Compatibility Assistant. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process information. While pcalua.exe can start legitimate programs, it is significant because attackers may use it to bypass command line execution protections. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, potentially leading to unauthorized actions, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "description": "The following analytic detects excessive usage of the forfiles.exe process, which is often indicative of post-exploitation activities. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and parent process. This activity is significant because forfiles.exe can be abused to execute commands on multiple files, a technique used by ransomware like Prestige. If confirmed malicious, this behavior could allow attackers to enumerate files, potentially leading to data exfiltration or further malicious actions.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "excessive forfiles process execution in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Information Discovery Fsutil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2181f261-93e6-4166-a5a9-47deac58feff", "description": "The following analytic identifies the execution of the Windows built-in tool FSUTIL with the FSINFO parameter to discover file system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. Monitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation. If confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "description": "The following analytic identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because adversaries, such as those using DCRat malware, may abuse explorer.exe to open URLs with the default browser, which is an uncommon and suspicious behavior. If confirmed malicious, this technique could allow attackers to download and execute malicious payloads, leading to potential system compromise and further malicious activities.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InProcServer32 New Outlook Form", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "description": "The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" Registry.registry_value_data=*\\\\FORMS\\\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_inprocserver32_new_outlook_form_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Input Capture Using Credential UI Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "description": "The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1056.002", "T1056"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Credential Theft", "author": "Michael Haag, Mauricio Velazo, Splunk", "date": "2024-05-18", "version": 5, "id": "ccfeddec-43ec-11ec-b494-acde48001122", "description": "The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "dcf74b22-7933-11ec-857c-acde48001122", "description": "The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Remote Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "4fbf9270-43da-11ec-9486-acde48001122", "description": "The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "description": "The following analytic detects the use of the Windows InstallUtil.exe binary with the `/u` (uninstall) switch, which can execute code while bypassing application control. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it can indicate an attempt to execute malicious code without administrative privileges. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise or persistence within the environment.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") NOT (Processes.process IN (\"*C:\\\\WINDOWS\\\\CCM\\\\*\")) NOT (Processes.parent_process_name IN (\"Microsoft.SharePoint.Migration.ClientInstaller.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "1a52c836-43ef-11ec-a36c-acde48001122", "description": "The following analytic identifies the use of Windows InstallUtil.exe making a remote network connection using the `/u` (uninstall) switch. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and network activity data. This behavior is significant as it may indicate an attempt to download and execute code while bypassing application control mechanisms. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "28e06670-43df-11ec-a569-acde48001122", "description": "The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ISO LNK File Creation", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "description": "The following analytic detects the creation of .iso.lnk files in the %USER%\\AppData\\Local\\Temp\\\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566", "T1204.001", "T1204"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Java Spawning Shells", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "28c81306-5c47-11ec-bfea-acde48001122", "description": "The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, attackers could execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Kerberos Local Successful Logon", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "8309c3a8-4d34-48ae-ad66-631658214653", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Known Abused DLL Created", "author": "Steven Dick", "date": "2024-05-17", "version": 2, "id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "description": "The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1574/002/", "https://hijacklibs.net/api/", "https://wietze.github.io/blog/hijacking-dlls-in-windows", "https://github.com/olafhartong/sysmon-modular/pull/195/files"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$].", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!=\"unknown\" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\users\\\\*\",\"*\\\\Windows\\Temp\\\\*\",\"*\\\\programdata\\\\*\") Filesystem.file_name=\"*.dll\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_known_abused_dll_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs_loaded.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "bf471c94-0324-4b19-a113-d02749b969bc", "description": "The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Known GraphicalProton backdoor Loaded Modules on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\AclNumsInvertHost.dll\", \"*\\\\ModeBitmapNumericAnimate.dll\", \"*\\\\UnregisterAncestorAppendAuto.dll\", \"*\\\\DeregisterSeekUsers.dll\", \"*\\\\ScrollbarHandleGet.dll\", \"*\\\\PerformanceCaptionApi.dll\", \"*\\\\WowIcmpRemoveReg.dll\", \"*\\\\BlendMonitorStringBuild.dll\", \"*\\\\HandleFrequencyAll.dll\", \"*\\\\HardSwapColor.dll\", \"*\\\\LengthInMemoryActivate.dll\", \"*\\\\ParametersNamesPopup.dll\", \"*\\\\ModeFolderSignMove.dll\", \"*\\\\ChildPaletteConnected.dll\", \"*\\\\AddressResourcesSpec.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_known_graphicalproton_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows KrbRelayUp Service Creation", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "e40ef542-8241-4419-9af4-6324582ea60a", "description": "The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was created on $dest$, related to KrbRelayUp.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "description": "The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Lateral Tool Transfer RemCom", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "description": "The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1570"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ldifde Directory Object Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "description": "The following analytic identifies the use of Ldifde.exe, a command-line utility for creating, modifying, or deleting LDAP directory objects. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution and command-line arguments. Monitoring Ldifde.exe is significant because it can be used by attackers to manipulate directory objects, potentially leading to unauthorized changes or data exfiltration. If confirmed malicious, this activity could allow an attacker to gain control over directory services, escalate privileges, or access sensitive information within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Linked Policies In ADSI Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "510ea428-4731-4d2f-8829-a28293e427aa", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Local Administrator Credential Stuffing", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "description": "The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "48cc1605-538c-4223-8382-e36bee5b540d", "description": "The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\NoLMHash\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lsa_secrets_nolmhash_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "description": "The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mark Of The Web Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "description": "The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1553/005/", "https://github.com/nmantani/PS-MOTW#remove-motwps1"], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A mark-of-the-web data stream is deleted on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=23 TargetFilename = \"*:Zone.Identifier\" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mark_of_the_web_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Explorer As Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "61490da9-52a1-4855-a0c5-28233c88c481", "description": "The following analytic identifies instances where explorer.exe is spawned by unusual parent processes such as cmd.exe, powershell.exe, or regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because explorer.exe is typically initiated by userinit.exe, and deviations from this norm can indicate code injection or process masquerading attempts by malware like Qakbot. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" AND Processes.process IN (\"*\\\\explorer.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Msdtc Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "238f3a07-8440-480b-b26f-462f41d9a47c", "description": "The following analytic identifies the execution of msdtc.exe with specific command-line parameters (-a or -b), which are indicative of the PlugX malware. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because PlugX uses these parameters to masquerade its malicious operations within legitimate processes, making it harder to detect. If confirmed malicious, this behavior could allow attackers to gain unauthorized access, exfiltrate data, and conduct espionage, severely compromising the affected system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"], "tags": {"analytic_story": ["PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "msdtc.exe process with process commandline used by PlugX malware in $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"msdtc.exe\" Processes.process = \"*msdtc.exe*\" Processes.process IN (\"* -a*\", \"* -b*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_msdtc_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "description": "The following analytic identifies the execution of the native mimikatz.exe binary on Windows systems, including instances where the binary is renamed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because Mimikatz is a widely used tool for extracting authentication credentials, posing a severe security risk. If confirmed malicious, this activity could allow attackers to obtain sensitive credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and system compromise.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "description": "The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"analytic_story": ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "description": "The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for authentication level settings was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Server Client\\\\AuthenticationLevelOverride\" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint", "Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_authenticationleveloverride_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Minor Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "description": "The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Update Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "description": "The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update notification on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Default Icon Setting", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "description": "The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "description": "The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows Modify Registry Disable Restricted Admin on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_restricted_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "description": "The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to disable Windows Defender notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "description": "The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "description": "The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disableremotedesktopantialias_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "989019b4-b7aa-418a-9a17-2293e91288b6", "description": "The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for terminal services settings was modified to disable security settings on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableSecuritySettings\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disablesecuritysettings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disabling WER Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "description": "The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisAllow Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "description": "The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DontShowUI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "description": "The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disable show UI on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_dontshowui_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "93048164-3358-4af0-8680-aa5f38440516", "description": "The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows EnableLinkedConnections configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_enablelinkedconnections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry LongPathsEnabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "36f9626c-4272-4808-aadd-267acce681c0", "description": "The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows LongPathEnable configuration on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_longpathsenabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "description": "The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in max connection per server configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_maxconnectionperserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "description": "The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "description": "The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to disable changing of wallpaper on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\\NoChangingWallPaper\" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_nochangingwallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyEnable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "description": "The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to enable proxy on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyEnable\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyenable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "description": "The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to setup proxy server on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyServer\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-12", "version": 3, "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "description": "The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry with binary data created by $process_name$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Reg Restore", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "description": "The following analytic detects the execution of reg.exe with the \"restore\" parameter, indicating an attempt to restore registry backup data on a host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate post-exploitation actions, such as those performed by tools like winpeas, which use \"reg save\" and \"reg restore\" to manipulate registry settings. If confirmed malicious, this could allow an attacker to revert registry changes, potentially bypassing security controls and maintaining persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "824dd598-71be-4203-bc3b-024f4cda340e", "description": "The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5eb479b1-a5ea-4e01-8365-780078613776", "description": "The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.", "references": ["https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html", "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", "https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Modify Registry behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*registry*\") All_Risk.annotations.mitre_attack.mitre_technique_id IN (\"*T1112*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "description": "The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Tamper Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "description": "The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to tamper Windows Defender protection on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry USeWuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "description": "The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A md5 registry value name $registry_value_name$ is created on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\*\" Registry.registry_value_data = \"Binary Data\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, \"\\\\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,\"^[0-9a-fA-F]{32}$\"),\"md5\",\"nonmd5\") | where validation_result = \"md5\" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_with_md5_reg_key_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry WuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "description": "The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry wuStatusServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "description": "The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 4, "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "description": "The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "author": "Teoderick Contreras, Will Metcalf, Splunk", "date": "2024-05-10", "version": 2, "id": "cd6d7410-9146-4471-a418-49edba6dadc4", "description": "The following analytic detects suspicious modifications to system firewall rules, specifically allowing execution of applications from notable and potentially malicious file paths. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving firewall rule changes. This activity is significant as it may indicate an adversary attempting to bypass firewall restrictions to execute malicious files. If confirmed malicious, this could allow attackers to execute unauthorized code, potentially leading to further system compromise, data exfiltration, or persistence within the environment.", "references": ["https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" Processes.process IN (\"*\\\\windows\\\\fonts\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\windows\\\\debug\\\\*\", \"*\\\\Users\\\\Administrator\\\\Music\\\\*\", \"*\\\\Windows\\\\servicing\\\\*\", \"*\\\\Users\\\\Default\\\\*\",\"*Recycle.bin*\", \"*\\\\Windows\\\\Media\\\\*\", \"\\\\Windows\\\\repair\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\PerfLogs\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_system_firewall_with_notable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "description": "The following analytic detects the execution of MOFComp.exe loading a MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like User Profile directories. It leverages Endpoint Detection and Response (EDR) data, focusing on process names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker using WMI for persistence or lateral movement. If confirmed malicious, it could allow the attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOVEit Transfer Writing ASPX", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "description": "The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "396de86f-25e7-4b0e-be09-a330be35249d", "description": "The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mshta Execution In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "description": "The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing \"mshta,\" \"javascript,\" \"vbscript,\" or \"WScript.Shell.\" This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSHTA Writing to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "description": "The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\\Windows\\Tasks` and `C:\\Windows\\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ writing to $TargetFilename$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*\\\\mshta.exe\" TargetFilename IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\\Windows\\Tasks`, `C:\\Windows\\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed.", "known_false_positives": "False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mshta_writing_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-06", "version": 2, "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "description": "The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "description": "The following analytic detects the execution of the msiexec.exe process with the /HideWindow and rundll32 command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because it is a known tactic used by malware like QakBot to mask malicious operations under legitimate system processes. If confirmed malicious, this behavior could allow an attacker to download additional payloads, execute malicious code, or establish communication with remote servers, thereby evading detection and maintaining persistence.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a msiexec parent process with /hidewindow rundll32 process commandline in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = \"* /HideWindow *\" Processes.process = \"* rundll32*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other possible 3rd party msi software installers use this technique as part of its installation process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_hidewindow_rundll32_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Remote Download", "author": "Michael Haag, Splunk", "date": "2024-05-08", "version": 2, "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "description": "The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn Discovery Command", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "description": "The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn WinDBG", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "description": "The following analytic identifies the unusual behavior of MSIExec spawning WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. This behavior is significant as it may indicate an attempt to debug or tamper with system processes, which is uncommon in typical user activity and could signify malicious intent. If confirmed malicious, this activity could allow an attacker to manipulate or inspect running processes, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_windbg_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "description": "The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec With Network Connections", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "description": "The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering is required.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "description": "The following analytic identifies DNS queries to known TOR proxy websites, such as \"*.torproject.org\" and \"www.theonionrouter.com\". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Account Passwords Changed", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "description": "The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ changed the passwords of multiple accounts in a short period of time.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_account_passwords_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Accounts Deleted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "description": "The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ deleted multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_accounts_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Accounts Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "5d93894e-befa-4429-abde-7fc541020b7b", "description": "The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ disabled multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_accounts_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "001266a6-9d5b-11eb-829b-acde48001122", "description": "The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "57ad5a64-9df7-11eb-a290-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "e61918fa-9ca4-11eb-836c-acde48001122", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "7ed272a4-9c77-11eb-af22-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "9015385a-9c84-11eb-bef2-acde48001122", "description": "The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "3a91a212-98a9-11eb-b86a-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows New InProcServer32 Added", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "description": "The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ .", "risk_score": 2, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_new_inprocserver32_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "description": "The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft AdvancedRun", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "description": "The following analytic detects the execution of AdvancedRun.exe, a tool with capabilities similar to remote administration programs like PsExec. It identifies the process by its name or original file name and flags common command-line arguments. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. Monitoring this activity is crucial as AdvancedRun can be used for remote code execution and configuration-based automation. If malicious, this could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1588.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft Utilities", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "description": "The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1588.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_nirsoft_software_macro", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Njrat Fileless Storage via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "description": "The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a suspicious registry entry related to NjRAT keylloging registry in $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1027.011", "T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\[kl]\" OR Registry.registry_value_data IN (\"*[ENTER]*\", \"*[TAP]*\", \"*[Back]*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_njrat_fileless_storage_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "1166360c-d495-45ac-87a6-8948aac1fa07", "description": "The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-discord process $process_name$ accessing discord \"leveldb\" file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\discord\\\\Local Storage\\\\leveldb*\") AND process_name != *\\\\discord.exe AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_non_discord_app_access_discord_leveldb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Non-System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "description": "The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_path", "type": "Process", "role": ["Parent Process"]}], "message": "A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "description": "The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load DLL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "description": "The following analytic detects the execution of odbcconf.exe with the regsvr action to load a DLL. This is identified by monitoring command-line arguments in process creation logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to execute arbitrary code via DLL loading, a common technique used in various attack vectors. If confirmed malicious, this could allow an attacker to execute code with the privileges of the odbcconf.exe process, potentially leading to system compromise or further lateral movement.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load Response File", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "description": "The following analytic detects the execution of odbcconf.exe with a response file, which may contain commands to load a DLL (REGSVR) or other instructions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially leading to unauthorized actions. If confirmed malicious, this could allow an attacker to gain code execution, escalate privileges, or establish persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Office Product Spawning MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "127eba64-c981-40bf-8589-1830638864a7", "description": "The following analytic detects a Microsoft Office product spawning the Windows msdt.exe process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt to exploit protocol handlers to bypass security controls, even if macros are disabled. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PaperCut NG Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "description": "The following analytic detects instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is pc-app.exe. This activity is significant as it may indicate an attacker attempting to gain unauthorized access or execute malicious commands on the system. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or further compromise of the affected environment.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Parent PID Spoofing with Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "description": "The following analytic identifies a suspicious `explorer.exe` process with the `/root` command-line parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and command-line data. The presence of `/root` in `explorer.exe` is significant as it may indicate parent process spoofing, a technique used by malware to evade detection. If confirmed malicious, this activity could allow an attacker to operate undetected, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.", "references": ["https://x.com/CyberRaiju/status/1273597319322058752?s=20"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An explorer.exe process with process commandline $process$ on dest $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1134.004", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*explorer.exe*\" Processes.process=\"*/root,*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_parent_pid_spoofing_with_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Password Managers Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "description": "The following analytic identifies command-line activity that searches for files related to password manager software, such as \"*.kdbx*\" and \"*credential*\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often target password manager databases to extract stored credentials, which can be used for further exploitation. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, enabling attackers to escalate privileges, move laterally, or exfiltrate critical data.", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "description": "The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\\Local\\Microsoft\\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "an outlook process dropped dll file into $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name =\"*.dll\" Filesystem.file_path = \"*\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_outlook_drop_dll_in_form_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing PDF File Executes URL Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "description": "The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user's browser to connect to a malicious site.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"analytic_story": ["Snake Keylogger", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "description": "The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Possible Credential Dumping", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 4, "id": "e4723b92-7266-11ec-af45-acde48001122", "description": "The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Post Exploitation Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "description": "The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat"], "tags": {"analytic_story": ["Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"*Windows Post-Exploitation*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_post_exploitation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "description": "The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing \"system.enterpriseservices.internal.publish\". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Cryptography Namespace", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "description": "The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains cryptography command detected on host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-05", "version": 2, "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "description": "The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562", "T1562.002", "T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "description": "The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "description": "The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "description": "The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Import Applocker Policy", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "description": "The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059", "T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell RemoteSigned File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "f7f7456b-470d-4a95-9703-698250645ff4", "description": "The following analytic identifies the use of the \"remotesigned\" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing \"remotesigned\" and \"-File\". This activity is significant because the \"remotesigned\" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell commandline with remotesigned policy executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_powershell_remotesigned_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell ScheduleTask", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "description": "The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-ScheduledTask*\", \"*New-ScheduledTaskAction*\", \"*New-ScheduledTaskSettingsSet*\", \"*New-ScheduledTaskTrigger*\", \"*Register-ClusteredScheduledTask*\", \"*Register-ScheduledTask*\", \"*Set-ClusteredScheduledTask*\", \"*Set-ScheduledTask*\", \"*Start-ScheduledTask*\", \"*Enable-ScheduledTask*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_scheduletask_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "47c69803-2c09-408b-b40a-063c064cbb16", "description": "The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerSploit GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "0130a0df-83a1-4647-9011-841e950ff302", "description": "The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552", "T1552.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "39405650-c364-4e1e-a740-32a63ef042a6", "description": "The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-31", "version": 2, "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "description": "The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView SPN Discovery", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "description": "The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for SPN discovery executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Private Keys Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "description": "The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "description": "The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon EventID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN (\"system\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\")) OR (Processes.process_integrity_level IN (\"high\",\"system\") AND (Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") OR Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`", "how_to_implement": "Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.", "known_false_positives": "False positives may be generated by administrators installing benign applications using run-as/elevation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_suspicious_process_elevation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "author": "Steven Dick", "date": "2024-05-28", "version": 2, "id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "description": "The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 IntegrityLevel=\"system\" ParentUser=* NOT ParentUser IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"*DWM-*\",\"*$\",\"-\") | eval src_user = replace(ParentUser,\"^[^\\\\\\]+\\\\\\\\\",\"\") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_privilege_escalation_system_process_without_system_parent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "description": "The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$].", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") AND Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"system\") AND Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 15.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_user_process_spawn_system_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Commandline Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "description": "The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to process commandline discovery detected on $dest$ using wmic.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1057"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= \"* process *\" Processes.process= \"* get commandline *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_commandline_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "description": "The following analytic identifies instances of the searchindexer.exe process that are not spawned by services.exe, indicating potential process injection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes. This activity is significant because QakBot malware often uses a fake searchindexer.exe to evade detection and perform malicious actions such as data exfiltration and keystroke logging. If confirmed malicious, this activity could allow attackers to maintain persistence, steal sensitive information, and communicate with command and control servers.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An uncommon non-service searchindexer.exe process in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_in_non_service_searchindexer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection into Notepad", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "description": "The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "description": "The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055.001", "T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Remote Thread", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "description": "The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\",\"*\\\\cmd.exe\", \"*\\\\powershell.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Wermgr Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "description": "The following analytic identifies a suspicious instance of wermgr.exe spawning a child process unrelated to error or fault handling. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant as it can indicate Qakbot malware, which injects malicious code into wermgr.exe to evade detection and execute malicious actions. If confirmed malicious, this behavior could allow an attacker to conduct reconnaissance, execute arbitrary code, and persist within the network, posing a severe security risk.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wermgr parent process has a child process $process_name$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection With Public Source Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "description": "The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process With NamedPipe CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "e64399d4-94a8-11ec-a9da-acde48001122", "description": "The following analytic detects processes with command lines containing named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant as it is often used by adversaries, such as those behind the Olympic Destroyer malware, for inter-process communication post-injection, aiding in defense evasion and privilege escalation. If confirmed malicious, this activity could allow attackers to maintain persistence, escalate privileges, or evade defenses, potentially leading to further compromise of the system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process with named pipe in $process$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Writing File to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "description": "The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$].", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_writing_file_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "description": "The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like \"PServiceControl.exe\" and \"PService_PPD.exe\" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process was terminated $process_name$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Protocol Tunneling with Plink", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "description": "The following analytic detects the use of Plink for protocol tunneling, either for egress or lateral movement within an organization. It identifies specific Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1021.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "description": "The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"portproxy\" and \"v4tov4\" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1090.001", "T1090"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "0270455b-1385-4579-9ac5-e77046c508ae", "description": "The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification for port proxy in$dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1090.001", "T1090"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Browser List Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "description": "The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process accessing installed default browser registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Query Registry Reg Save", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "description": "The following analytic detects the execution of the reg.exe process with the \"save\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the \"reg save\" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry UnInstall Program List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "description": "The following analytic detects a suspicious query on the uninstall application list in the Windows OS registry. It leverages Windows Security Event logs, specifically event code 4663, to identify access to the \"Uninstall\" registry key. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Raccine Scheduled Task Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "c9f010da-57ab-11ec-82bd-acde48001122", "description": "The following analytic identifies the deletion of the Raccine Rules Updater scheduled task using the `schtasks.exe` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may delete this task to disable Raccine, a tool designed to prevent ransomware attacks. If confirmed malicious, this action could allow ransomware to execute without interference, leading to potential data encryption and loss.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "description": "The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Rasautou DLL Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "description": "The following analytic detects the execution of an arbitrary DLL by the Windows Remote Auto Dialer (rasautou.exe). This behavior is identified by analyzing process creation events where rasautou.exe is executed with specific command-line arguments. This activity is significant because it leverages a Living Off The Land Binary (LOLBin) to execute potentially malicious code, bypassing traditional security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055.001", "T1218", "T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Disk Volume Partition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a85aa37e-9647-11ec-90c5-acde48001122", "description": "The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process accessing disk partition $Device$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1561.002", "T1561"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "7b83f666-900c-11ec-a2d9-acde48001122", "description": "The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "process accessing MBR $Device$ on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1561.002", "T1561"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows RDP Connection Successful", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "description": "The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A successful RDP connection on $dest$ occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1563.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry BootExecute Modification", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "description": "The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1542", "T1547.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Certificate Added", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "description": "The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing \"certificates\" and registry values named \"Blob.\" This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A root certificate was added on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.004", "T1553"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Delete Task SD", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "description": "The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions or modifications of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security. Immediate investigation is required.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"analytic_story": ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-20", "version": 5, "id": "c6149154-c9d8-11eb-9da7-acde48001122", "description": "The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"analytic_story": ["Ransomware", "Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Payload Injection", "author": "Steven Dick", "date": "2024-05-10", "version": 2, "id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "description": "The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://attack.mitre.org/techniques/T1027/011/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1027", "T1027.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_payload_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry SIP Provider Modification", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "description": "The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Registry SIP Provider Modification detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\") Registry.registry_value_name IN (\"Dll\",\"$DLL\") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Be aware of potential false positives - legitimate applications may cause benign activities to be flagged.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_sip_provider_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Regsvr32 Renamed Binary", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "description": "The following analytic identifies instances where the regsvr32.exe binary has been renamed and executed. This detection leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe is significant as it can be an evasion technique used by attackers to bypass security controls. If confirmed malicious, this activity could allow an attacker to execute arbitrary DLLs, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "regsvr32 was renamed as $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.010", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "description": "The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "description": "The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Remote Access Software RMS Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "description": "The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing \"SYSTEM\\\\Remote Manipulator System.\" This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry related to RMS tool is created in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Assistance Spawning Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "ced50492-8849-11ec-9f68-acde48001122", "description": "The following analytic detects Microsoft Remote Assistance (msra.exe) spawning PowerShell.exe or cmd.exe as a child process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where msra.exe is the parent process. This activity is significant because msra.exe typically does not spawn command-line interfaces, indicating potential process injection or misuse. If confirmed malicious, an attacker could use this technique to execute arbitrary commands, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Remote Create Service", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "description": "The following analytic identifies the creation of a new service on a remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new service creation. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this could allow the attacker to establish persistence, escalate privileges, or execute arbitrary code on the remote system, potentially leading to further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "description": "The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Rdpwinst.exe executed on $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "description": "The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"netsh.exe\" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "new firewall rules was added to allow rdp connection to $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Remote Assistance", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "description": "The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Control\\\\Terminal Server\\\\fAllowToGetHelp\" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Rdp Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "description": "The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"fDenyTSConnections\" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Replication Through Removable Media", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "description": "The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1091"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Root Domain linked policies Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "description": "The following analytic detects the execution of a suspicious rundll32 command line that updates user-specific system parameters, such as desktop backgrounds, display settings, and visual themes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"user32.dll,UpdatePerUserSystemParameters.\" This activity is significant as it is uncommon for legitimate purposes and has been observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,UpdatePerUserSystemParameters*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_apply_user_settings_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDAV Request", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "description": "The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "description": "The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Created Via XML", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "description": "The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the -create flag and an XML parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "author": "Steven Dick", "date": "2024-05-14", "version": 2, "id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "description": "The following analytic detects when the Task Scheduler service (\"svchost.exe -k netsvcs -p -s Schedule\") spawns common command line, scripting, or shell execution binaries such as \"powershell.exe\" or \"cmd.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_service_spawned_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task with Highest Privileges", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "description": "The following analytic detects the creation of a new scheduled task with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is significant as it is commonly used in AsyncRAT attacks for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to maintain persistent access and execute tasks with elevated privileges, potentially leading to unauthorized system access and data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Schtasks Create Run As System", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "41a0e58e-884c-11ec-9976-acde48001122", "description": "The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"analytic_story": ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Screen Capture Via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "description": "The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Account Manager Stopped", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 3, "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "description": "The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the \"net stop samss\" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Support Provider Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "description": "The following analytic identifies command-line activity querying the registry for Security Support Providers (SSPs) related to Local Security Authority (LSA) protection and configuration. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes accessing specific LSA registry paths. Monitoring this activity is crucial as adversaries and post-exploitation tools like winpeas may use it to gather information on LSA protections, potentially leading to credential theft. If confirmed malicious, attackers could exploit this to scrape password hashes or plaintext passwords from memory, significantly compromising system security.", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with reg query command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.005", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "description": "The following analytic detects the use of GACUtil.exe to add a DLL into the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adding a DLL to the GAC allows it to be called by any application, potentially enabling widespread code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code across the operating system, leading to privilege escalation or persistent access.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create Kernel Mode Driver", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "description": "The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"analytic_story": ["CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003", "T1543", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create RemComSvc", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "description": "The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A new service was created related to RemCom on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Create SliverC2", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "description": "The following analytic detects the creation of a Windows service named \"Sliver\" with the description \"Sliver Implant,\" indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A user mode service was created on $dest$ related to SliverC2.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Create with Tscon", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "description": "The following analytic detects potential RDP Hijacking attempts by identifying the creation of a Windows service using sc.exe with a binary path that includes tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it indicates an attacker may be trying to hijack a disconnected RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker could gain control over an existing user session, leading to potential data theft or further system compromise.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1563.002", "T1563", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created with Suspicious Service Path", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 5, "id": "429141be-8311-11eb-adb6-acde48001122", "description": "The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImagePath", "type": "File", "role": ["Attacker"]}], "message": "A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Created Within Public Path", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "description": "The following analytic detects the creation of a Windows Service with its binary path located in public directories using Windows Event ID 7045. This detection leverages logs from the `wineventlog_system` data source, focusing on the `ImagePath` field to identify services installed outside standard system directories. This activity is significant as it may indicate the installation of a malicious service, often used by adversaries for lateral movement or remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or further compromise the system.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ServiceName", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service $ServiceName$ with a public path was created on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Creation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "description": "The following analytic identifies the creation of a Windows Service on a remote endpoint using `sc.exe`. It detects this activity by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include remote paths and service creation commands. This behavior is significant because adversaries often exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation Using Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "25212358-948e-11ec-ad47-acde48001122", "description": "The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a endpoint from $dest$ using a registry entry", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Deletion In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "daed6823-b51c-4843-a6ad-169708f1323e", "description": "The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was deleted on $dest$ within the Windows registry.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "description": "The following analytic detects the execution of `sc.exe` with command-line arguments used to start a Windows Service on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop By Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "description": "The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Via Net and SC Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "description": "The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process$ was executed on $dest$ attempting to stop service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Win Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "description": "The following analytic detects the disabling of Windows Update services, such as \"Update Orchestrator Service for Windows Update,\" \"WaaSMedicSvc,\" and \"Windows Update.\" It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows update services $service_name$ was being disabled on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SIP Provider Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "description": "The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.", "references": ["https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`subjectinterfacepackage` Dll=*\\\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`", "how_to_implement": "To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1", "known_false_positives": "False positives are limited as this is a hunting query for inventory.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "subjectinterfacepackage", "definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_provider_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "description": "The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that \"The digital signature of the object did not verify.\" This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventID=81 \"The digital signature of the object did not verify.\" | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_winverifytrust_failed_trust_validation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware File Modification Crmlog", "author": "Michael Haag, Splunk", "date": "2024-05-07", "version": 2, "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "description": "The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "628d9c7c-3242-43b5-9620-7234c080a726", "description": "The following analytic detects the creation of the comadmin.dat file in the %windows%\\system32\\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "description": "The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Service Create", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "description": "The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SOAPHound Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "description": "The following analytic detects the execution of the SOAPHound binary (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and other process-related metadata. This activity is significant because SOAPHound is a known tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could allow an attacker to extract sensitive information, escalate privileges, or persist within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The process $process_name$ was executed on $dest$ related to SOAPHound.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"soaphound.exe\" OR Processes.original_file_name=\"soaphound.exe\" AND Processes.process IN (\"*--buildcache *\", \"*--bhdump *\", \"*--certdump *\", \"*--dnsdump *\", \"*-c *\", \"*--cachefilename *\", \"*-o *\", \"*--outputdirectory *\") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_soaphound_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "description": "The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise.", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "description": "The following analytic detects OneNote spawning `mshta.exe`, a behavior often associated with spearphishing attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where OneNote is the parent process. This activity is significant as it is commonly used by malware families like TA551, AsyncRat, Redline, and DCRAT to execute malicious scripts. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "description": "The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1087", "T1021.002", "T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SQL Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "description": "The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"analytic_story": ["Flax Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_sql_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "description": "The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading $ImageLoaded$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (Image=\"*\\\\SQLDumper.exe\" OR Image=\"*\\\\SQLWriter.exe\") ImageLoaded=\"*\\\\vcruntime140.dll\" NOT ImageLoaded=\"C:\\\\Windows\\\\System32\\\\*\" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sqlwriter_sqldumper_dll_sideload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "author": "Steven Dick", "date": "2024-05-11", "version": 3, "id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "description": "The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 activity by $src_user$ - $flavor_text$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4886,4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | eval flavor_text = case(EventCode==\"4886\",\"A suspicious certificate was requested using request ID: \".'RequestId',EventCode==\"4887\", \"A suspicious certificate was issued using request ID: \".'RequestId'.\". To revoke this certifacte use this request ID or the SSL fingerprint [\".'ssl_hash'.\"]\"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates___esc1_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "author": "Steven Dick", "date": "2024-05-24", "version": 2, "id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "description": "The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ssl_hash", "type": "Other", "role": ["Attacker"]}, {"name": "ssl_serial", "type": "Other", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 authentication on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates___esc1_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "description": "The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was issued to $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "description": "The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was requested by $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "author": "Michael Haag, Splunk", "date": "2024-05-04", "version": 2, "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "description": "The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "description": "The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "description": "The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "description": "The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "description": "The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process klist.exe executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Suspect Process With Authentication Traffic", "author": "Steven Dick", "date": "2024-05-15", "version": 2, "id": "953322db-128a-4ce9-8e89-56e039e33d98", "description": "The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002", "T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", "how_to_implement": "To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.", "known_false_positives": "Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_suspect_process_with_authentication_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "description": "The following analytic detects the use of the decompile parameter with the HTML Help application (HH.exe). This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions involving the decompile parameter. This activity is significant because it is an uncommon command and has been associated with APT41 campaigns, where it was used to unpack HTML help files for further malicious actions. If confirmed malicious, this technique could allow attackers to execute arbitrary commands, potentially leading to further compromise and persistence within the environment.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.001", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using ldap Nslookup", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "description": "The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System nslookup domain discovery on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using Qwinsta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "description": "The following analytic detects the execution of \"qwinsta.exe\" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The \"qwinsta.exe\" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System qwinsta domain discovery on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "description": "The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["CISA AA22-264A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new driver is present on $dest$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System LogOff Commandline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "description": "The following analytic detects the execution of the Windows command line to log off a host machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. This activity is significant as it is often associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /l*\", \"* -l*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Config Discovery Display DNS", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "description": "The following analytic identifies the execution of the \"ipconfig /displaydns\" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Connections Discovery Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "description": "The following analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover firewall settings. If confirmed malicious, this activity could allow attackers to manipulate firewall configurations, potentially leading to unauthorized network access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "netsh process with command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Reboot CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "description": "The following analytic identifies the execution of the Windows command line to reboot a host machine using \"shutdown.exe\" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /r*\", \"* -r*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "description": "The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1216", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Shutdown CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "description": "The following analytic identifies the execution of the Windows shutdown command via the command line interface. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because attackers may use the shutdown command to erase tracks, cause disruption, or ensure changes take effect after installing backdoors. If confirmed malicious, this activity could lead to system downtime, denial of service, or evasion of security tools, impacting the overall security posture of the network.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" AND Processes.process IN(\"* /s*\", \"* -s*\") AND Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Time Discovery W32tm Delay", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "description": "The following analytic identifies the use of the w32tm.exe utility with the /stripchart function, which is indicative of DCRat malware delaying its payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments used by w32tm.exe. This activity is significant as it may indicate an attempt to evade detection by delaying malicious actions such as C2 communication and beaconing. If confirmed malicious, this behavior could allow an attacker to maintain persistence and execute further malicious activities undetected.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1124"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Discovery Via Quser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "description": "The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Privilege Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "description": "The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to system user privilege discovery detected on $dest$ using whoami.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"whoami.exe\" Processes.process= \"*/priv*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_privilege_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Terminating Lsass Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "description": "The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "34502357-deb1-499a-8261-ffe144abf561", "description": "The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"ping 0 -n\". This behavior is significant as it is commonly used by malware like NJRAT to introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ did a suspicious ping to invalid IP address on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497", "T1497.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"ping.exe\" Processes.parent_process = \"* ping 0 -n *\" OR Processes.process = \"* ping 0 -n *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion via Choice Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "description": "The following analytic detects the use of choice.exe in batch files as a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential time-based evasion techniques used by malware to avoid detection. If confirmed malicious, this behavior could allow attackers to execute code stealthily, delete malicious files, and persist on compromised hosts, making it crucial for SOC analysts to investigate promptly.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ has a choice time delay commandline on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497.003", "T1497"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = \"*/T*\" Processes.process = \"*/N*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_via_choice_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "description": "The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548", "T1548.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\",\"wscript\",\"cscript.exe\",\"bash.exe\",\"werfault.exe\") OR Processes.process IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\ProgramData\\\\*\",\"*\\\\Temp\\\\*\")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "description": "The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548", "T1548.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN (\"high\",\"system\") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0)] | where elevated_integrity_level > original_integrity_level | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_escalation_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "36334123-077d-47a2-b70c-6c7b3cc85049", "description": "The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing outlook credentials registry on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676*\", \"*\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676*\") AND process_name != *\\\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "third party software may access this outlook registry.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_unsecured_outlook_credentials_access_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "5a83ce44-8e0f-4786-a775-8249a525c879", "description": "The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\\windows\\system32 or c:\\windows\\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["NjRAT", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Signed=false OriginalFileName = \"-\" SignatureStatus=\"unavailable\" ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f", "description": "This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) NOT (ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_in_same_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "description": "The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Company=\"Microsoft Corporation\" Signed=false SignatureStatus != Valid NOT (Image IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) NOT (ImageLoaded IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_ms_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential NTLM based password spraying attack from $src$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "description": "The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "description": "The following analytic detects the creation of suspicious URL shortcut link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify .url files created outside standard directories, such as Program Files. This activity is significant as it may indicate an attempt to execute malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process created URL shortcut file in $file_path$ of $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204.002", "T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Valid Account With Never Expires Password", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "description": "The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"/maxpwage:unlimited\". This activity is significant as it can indicate an attempt to maintain persistence, escalate privileges, evade defenses, or facilitate lateral movement. If confirmed malicious, this behavior could allow an attacker to maintain long-term access to compromised accounts, potentially leading to further exploitation and unauthorized access to sensitive information.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable 3CX Software", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "f2cc1584-46ee-485b-b905-977c067f36de", "description": "The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable Driver Loaded", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows WinDBG Spawning AutoIt3", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "description": "The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child process. This activity is significant because AutoIt3 is frequently used by threat actors for scripting malicious automation, potentially indicating an ongoing attack. If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary code, and further compromise the system, leading to data exfiltration or additional malware deployment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, \"\\\\.(au3|a3x|exe|aut|aup)$\"), \"Yes\", \"No\") | search matches_extension=\"Yes\" | `windows_windbg_spawning_autoit3_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_windbg_spawning_autoit3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WinLogon with Public Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "description": "The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1542.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Impersonate Token", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "description": "The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process And Service List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "description": "The following analytic identifies suspicious WMI command lines querying for running processes or services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line events. This activity is significant as adversaries often use WMI to gather system information and identify services on compromised machines. If confirmed malicious, this behavior could allow attackers to map out the system, identify critical services, and plan further attacks, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wmi command $process$ to list processes and services in $dest$", "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process Call Create", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "0661c2de-93de-11ec-9833-acde48001122", "description": "The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like \"process,\" \"call,\" and \"create.\" This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with $process$ commandline executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "description": "The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$ by the following command: $TaskContent$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 4, "id": "5d9c6eee-988c-11eb-8253-acde48001122", "description": "The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "b3632472-310b-11ec-9aab-acde48001122", "description": "The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Scheduled Task was scheduled and ran on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_task_scheduler", "definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Winhlp32 Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "description": "The following analytic detects winhlp32.exe spawning a child process that loads a file from appdata, programdata, or temp directories. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because winhlp32.exe has known vulnerabilities and can be exploited to execute malicious code. If confirmed malicious, an attacker could use this technique to execute arbitrary scripts, escalate privileges, or maintain persistence within the environment. Analysts should review parallel processes, module loads, and file modifications for further suspicious behavior.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRAR Spawning Shell Application", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "d2f36034-37fa-4bd4-8801-26807c15540f", "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, such as \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it may indicate exploitation of the WinRAR CVE-2023-38831 vulnerability, where malicious scripts are executed from spoofed ZIP archives. If confirmed malicious, this could lead to unauthorized access, financial loss, and further malicious activities like data theft or ransomware attacks.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc", "https://github.com/b1tg/CVE-2023-38831-winrar-exploit"], "tags": {"analytic_story": ["WinRAR Spoofing Attack CVE-2023-38831"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN (\"certutil.exe\",\"mshta.exe\",\"bitsadmin.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winrar_spawning_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRM Spawning a Process", "author": "Drew Church, Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "a081836a-ba4d-11eb-8593-acde48001122", "description": "The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"analytic_story": ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Cmd", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious attachments execute commands via cmd.exe. If confirmed malicious, this could allow an attacker to execute arbitrary commands, potentially leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 3, "id": "b2c950b8-9be2-11eb-8658-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns a PowerShell process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious documents execute encoded PowerShell commands. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "description": "The following analytic identifies instances where Microsoft Winword.exe spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is Winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious scripts are executed via document macros. If confirmed malicious, this could lead to code execution, allowing attackers to gain initial access, execute further payloads, or establish persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "description": "The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected \"NTEventLogEventConsumer.\" This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "description": "The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "WMI Permanent Event Subscription detected on $dest$ by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.003", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Recon Running Process Or Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Temporary Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-12", "version": 2, "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "description": "The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "83317b08-155b-11ec-8e00-acde48001122", "description": "The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic NonInteractive App Uninstallation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "description": "The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMIC XSL Execution via URL", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "787e9dd0-4328-11ec-a029-acde48001122", "description": "The following analytic detects `wmic.exe` loading a remote XSL script via a URL. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT switch. This activity is significant as it indicates a potential application control bypass, allowing adversaries to execute JScript or VBScript within an XSL file. If confirmed malicious, this technique can enable attackers to execute arbitrary code, escalate privileges, or maintain persistence using a trusted Windows tool, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1220"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "description": "The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `wmiprvse.exe` is the parent process and the child process is a known LOLBAS binary. This activity is significant as it may indicate lateral movement or remote code execution by an adversary abusing Windows Management Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "1f35e1da-267b-11ec-90a9-acde48001122", "description": "The following analytic identifies suspicious child processes spawned by WScript or CScript. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific parent and child process names. This activity is significant as adversaries often use WScript or CScript to execute Living Off The Land Binaries (LOLBINs) or other scripts like PowerShell for defense evasion. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055", "T1543", "T1134.004", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. It leverages Endpoint Detection and Response (EDR) data to detect when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off the Land Binaries and Scripts) executables. This activity is significant because it may indicate an adversary using Windows Remote Management (WinRM) to execute code on remote endpoints, a common technique for lateral movement. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WSReset UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "8b5901bc-da63-11eb-be43-acde48001122", "description": "The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise.", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XMRIG Driver Loaded", "author": "Teoderick Contreras, Splunk", "date": "2024-05-06", "version": 2, "id": "90080fa6-a8df-11eb-91e4-acde48001122", "description": "The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"analytic_story": ["CISA AA22-320A", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XSL Script Execution With WMIC", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "004e32e2-146d-11ec-a83f-acde48001122", "description": "The following analytic detects the execution of an XSL script using the WMIC process, which is often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving WMIC and XSL files. This behavior is significant as it has been associated with the FIN7 group, known for using this technique to execute malicious scripts. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise and further malicious actions within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1220"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect ARP Poisoning", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "description": "The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-29", "version": 2, "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "description": "The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "domain", "type": "URL String", "role": ["Attacker"]}], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1568.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-22", "version": 2, "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "description": "The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect hosts connecting to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "description": "The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "description": "The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption.", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Large Outbound ICMP Packets", "author": "Rico Valdez, Splunk", "date": "2024-05-24", "version": 3, "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "description": "The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network.", "references": [], "tags": {"analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1095"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Outbound LDAP Traffic", "author": "Bhavin Patel, Johan Bjerke, Splunk", "date": "2024-05-21", "version": 2, "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "description": "The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Outbound SMB Traffic", "author": "Bhavin Patel, Stuart Hopkins, Patrick Bareiss", "date": "2024-05-25", "version": 5, "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "description": "The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.002", "T1071"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | eval match=case( cidrmatch(\"10.0.0.0/8\" ,dest_ip) ,\"1\", cidrmatch(\"172.16.0.0/12\" ,dest_ip) ,\"1\", cidrmatch(\"192.168.0.0/16\" ,dest_ip) ,\"1\", cidrmatch(\"100.64.0.0/10\" ,dest_ip) ,\"1\", 1=1,\"0\") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Port Security Violation", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-13", "version": 2, "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "description": "The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Remote Access Software Usage DNS", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "description": "The following analytic detects DNS queries to known remote access software domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution data model and cross-references them with a lookup table of remote access software domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use remote access tools to maintain persistent access to compromised systems. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further infiltrate the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $query$ was contacted by $src$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`", "how_to_implement": "To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Traffic", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "885ea672-07ee-475a-879e-60d28aa5dd42", "description": "The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://applipedia.paloaltonetworks.com/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Application traffic for a known remote access software [$signature$] was detected from $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`", "how_to_implement": "The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Rogue DHCP Server", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-28", "version": 2, "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "description": "The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect SNICat SNI Exfiltration", "author": "Shannon Davis, Splunk", "date": "2024-05-21", "version": 2, "id": "82d06410-134c-11eb-adc1-0242ac120002", "description": "The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Software Download To Network Device", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-20", "version": 2, "id": "cc590c66-f65f-48f2-986a-4797244762f8", "description": "The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1542.005", "T1542"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-13", "version": 2, "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "description": "The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1568.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab.\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\n* Save the notebook using the save option in Jupyter notebook.\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Traffic Mirroring", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-09", "version": 2, "id": "42b3b753-5925-49c5-9742-36fa40a73990", "description": "The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as \"ETH_SPAN_SESSION_UP\" and \"PKTCAP_START.\" This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1020", "T1498", "T1020.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Unauthorized Assets by MAC address", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 3, "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "description": "The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.", "references": [], "tags": {"analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "datamodel": ["Network_Sessions"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "babd8d10-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-23", "version": 2, "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "datamodel": ["Network_Traffic", "Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Zerologon via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "description": "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Detect Zerologon Attack", "Rhysida Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "DNS Query Length Outliers - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 3, "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "description": "The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Query Length With High Standard Deviation", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 6, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "description": "The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding twice the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive DNS Failures", "author": "bowesmana, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "104658f4-afdc-499e-9719-17243f9826f1", "description": "The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Excessive DNS failures detected on $src$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "description": "The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "High Volume of Bytes Out to Url", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "description": "The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.", "references": ["https://attack.mitre.org/techniques/T1567/", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$.", "risk_score": 9, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1567"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name(\"Web\")`| `high_volume_of_bytes_out_to_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.", "known_false_positives": "This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.", "datamodel": ["Web"], "source": "network", "nes_fields": null, "macros": [{"name": "high_volume_of_bytes_out_to_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hosts receiving high volume of network traffic from email server", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "description": "The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Large Volume of DNS ANY Queries", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "description": "The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type \"ANY\" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.", "references": [], "tags": {"analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1498", "T1498.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Multiple Archive Files Http Post Traffic", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "4477f3ea-a28f-11eb-b762-acde48001122", "description": "The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker’s command and control server, potentially resulting in severe data breaches and loss of confidential information.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ngrok Reverse Proxy on Network", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "description": "The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as \"*.ngrok.com\" and \"*.ngrok.io\". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Plain HTTP POST Exfiltrated Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e2b36208-a364-11eb-8909-acde48001122", "description": "The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as \"wermgr.exe\" or \"svchost.exe\". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "A http post $http_method$ sending packet with plain text of information in uri path $uri_path$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Prohibited Network Traffic Allowed", "author": "Rico Valdez, Splunk", "date": "2024-05-11", "version": 3, "id": "ce5a0962-849f-4720-a678-753fe6674479", "description": "The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the \"lookup_interesting_ports\" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Protocol or Port Mismatch", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 3, "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "description": "The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Protocols passing authentication in cleartext", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 4, "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "description": "The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Network Bruteforce", "author": "Jose Hernandez, Splunk", "date": "2024-05-17", "version": 3, "id": "a98727cc-286b-4ff2-b898-41df64695923", "description": "The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$dest$ may be the target of an RDP Bruteforce", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Network Traffic", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 5, "id": "272b8407-842d-4b3d-bead-a704584003d3", "description": "The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SMB Traffic Spike", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "description": "The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.002", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 4, "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "description": "The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.002", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Identified SSL TLS Certificates", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "620fbb89-86fd-4e2e-925f-738374277586", "description": "The following analytic identifies the usage of Splunk default SSL/TLS certificates within the environment. It leverages tags such as SSL, TLS, and certificate to detect these default certificates by examining the ssl_issuer_common_name field. This activity is significant because using default certificates can expose the environment to potential security risks, as they are not unique and can be easily exploited. If confirmed malicious, attackers could intercept or manipulate data, leading to unauthorized access or data breaches. It is recommended to replace default certificates with valid, unique TLS certificates to enhance security.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "The following $host$ is using the self signed Splunk certificate.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1040"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SSL Certificates with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "696694df-5706-495a-81f2-79501fa11b90", "description": "The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix \"xn--\". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches.", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1573"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "TOR Traffic", "author": "David Dorsey, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "description": "The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.", "references": ["https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK", "https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks."], "tags": {"analytic_story": ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$", "risk_score": 80, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1090", "T1090.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "None at this time", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Content-Type Length", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "description": "The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Service Traffic", "author": "Steven Dick", "date": "2024-05-19", "version": 2, "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "description": "The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1003", "T1003.006", "T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "description": "The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1729"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zeek x509 Certificate with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "description": "The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the \"xn--\" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1573"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "15838756-f425-43fa-9d88-a7f88063e81a", "description": "The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*\" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Adobe ColdFusion Access Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.", "references": ["https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29298 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"//restplay*\", \"//CFIDE/restplay*\", \"//CFIDE/administrator*\", \"//CFIDE/adminapi*\", \"//CFIDE/main*\", \"//CFIDE/componentutils*\", \"//CFIDE/wizards*\", \"//CFIDE/servermanager*\",\"/restplay*\", \"/CFIDE/restplay*\", \"/CFIDE/administrator*\", \"/CFIDE/adminapi*\", \"/CFIDE/main*\", \"/CFIDE/componentutils*\", \"/CFIDE/wizards*\", \"/CFIDE/servermanager*\") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "adobe_coldfusion_access_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "description": "The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. It monitors web requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" path using the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious activity from normal traffic. This activity is significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions, necessitating immediate investigation.", "references": ["https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-26360 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/cf_scripts/scripts/ajax/ckeditor/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Cisco IOS XE Implant Access", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "description": "The following analytic identifies the potential exploitation of a vulnerability (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects suspicious account creation and subsequent actions, including the deployment of a non-persistent implant configuration file. The detection leverages the Web datamodel, focusing on specific URL patterns and HTTP methods. This activity is significant as it indicates unauthorized administrative access, which can lead to full control of the device. If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", "https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner"], "tags": {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-20198 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/webui/logoutconfirm.html?logon_hash=*\") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "cisco_ios_xe_implant_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b593cac5-dd20-4358-972a-d945fefdaf17", "description": "The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.", "references": ["https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966"], "tags": {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/oauth/idp/.well-known/openid-configuration*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.", "known_false_positives": "False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ADC Exploitation CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "description": "The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.", "references": ["https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467", "https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967"], "tags": {"analytic_story": ["Citrix Netscaler ADC CVE-2023-3519"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-3519 against $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\",\"/gwtest/formssso?event=start&target=*\",\"/netscaler/ns_gui/vpn/*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "citrix_adc_exploitation_cve_2023_3519_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "172c59f2-5fae-45e5-8e51-94445143e93f", "description": "The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", and \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.", "references": ["https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"analytic_story": ["Citrix ShareFile RCE CVE-2023-24489"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-24489 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"/documentum/upload.aspx?*\" AND Web.url IN (\"*parentid=*\",\"*filename=*\",\"*uploadId=*\") AND Web.url IN (\"*unzip=*\", \"*raw=*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`", "how_to_implement": "Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.", "known_false_positives": "False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "citrix_sharefile_exploitation_cve_2023_24489_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "description": "The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py", "https://x.com/Shadowserver/status/1712378833536741430?s=20", "https://github.com/j3seer/CVE-2023-22515-POC"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*\",\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*\") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_cve_2023_22515_trigger_vulnerability_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 4, "id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/", "https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/setup/setupadministrator.action*\", \"*/setup/finishsetup.action*\", \"*/json/setup-restore-local.action*\", \"*/json/setup-restore-progress.action*\", \"*/json/setup-restore.action*\", \"*/bootstrap/selectsetupstep.action*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_data_center_and_server_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "description": "The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the \"/template/aui/text-inline.vm\" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat.", "references": ["https://github.com/cleverg0d/CVE-2023-22527", "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "tags": {"analytic_story": ["Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/template/aui/text-inline.vm*\" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "description": "The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url \"/SetupWizard.aspx/(?.+)\" | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "104658f4-afdc-499e-9719-17243f982681", "description": "The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1082", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2024-05-22", "version": 2, "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "description": "The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as \"hsqldb;\" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect malicious requests to exploit JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "description": "The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Remote Access Software Usage URL", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "9296f515-073c-43a5-88ec-eda5a4626654", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url_domain", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $url_domain$ was contacted by $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"Web\")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_url_filter`", "how_to_implement": "The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Exploit Public Facing Application via Apache Commons Text", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "description": "The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "description": "The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "F5 TMUI Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "description": "The following analytic detects attempts to exploit the CVE-2023-46747 vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility (TMUI). It identifies this activity by monitoring for specific URI paths such as \"*/mgmt/tm/auth/user/*\" with the PATCH method and a 200 status code. This behavior is significant for a SOC as it indicates potential unauthorized access attempts, leading to remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct further malicious activities within the network.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"analytic_story": ["F5 Authentication Bypass with TMUI"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/mgmt/tm/auth/user/*\") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.", "known_false_positives": "False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "f5_tmui_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "description": "The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Hunting for Log4Shell", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "description": "The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "message": "Hunting for Log4Shell exploitation has occurred.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://twitter.com/GreyNoiseIO/status/1747711939466453301"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN(\"*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*\",\"*/api/v1/totp/user-backup-code/../../license/keys-status/*\") Web.http_method IN (\"POST\", \"GET\") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_connect_secure_command_injection_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "8e6ca490-7af3-4299-9a24-39fb69759925", "description": "The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis", "https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2024-21893 against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/dana-ws/saml20.ws*\",\"*/dana-ws/saml.ws*\",\"*/dana-ws/samlecp.ws*\",\"*/dana-na/auth/saml-logout.cgi/*\") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_connect_secure_ssrf_in_saml_component_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/totp/user-backup-code/../../system/system-information*\" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "description": "The following analytic detects attempts to exploit CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies HTTP requests to the endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a status code of 200 in web logs. This activity is significant as it indicates unauthorized remote access to restricted functionalities or resources. If confirmed malicious, this could lead to data theft, unauthorized modifications, or further system compromise, necessitating immediate action to mitigate potential severe impacts.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e03edeba-4942-470c-a664-27253f3ad351", "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py", "https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Sentry Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8", "description": "The following analytic identifies unauthenticated access attempts to the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects this activity by monitoring HTTP requests to specific endpoints (\"/mics/services/configservice/*\", \"/mics/services/*\", \"/mics/services/MICSLogService*\") with a status code of 200. This behavior is significant for a SOC as it indicates potential unauthorized access, which could lead to OS command execution as root. If confirmed malicious, this activity could result in significant system compromise and data breaches, especially if port 8443 is exposed to the internet.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"analytic_story": ["Ivanti Sentry Authentication Bypass CVE-2023-38035"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-38035 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_sentry_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Jenkins Arbitrary File Read CVE-2024-23897", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "description": "The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing \"*/cli?remoting=false*\" with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9025", "https://github.com/jenkinsci-cert/SECURITY-3314-3315", "https://github.com/binganao/CVE-2024-23897", "https://github.com/h4x0r-dz/CVE-2024-23897", "https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/", "https://www.shodan.io/search?query=product%3A%22Jenkins%22", "https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html"], "tags": {"analytic_story": ["Jenkins Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/cli?remoting=false*\" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source.", "known_false_positives": "False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jenkins_arbitrary_file_read_cve_2024_23897_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "description": "The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/", "https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url=\"*?jsp=*\" AND Web.url=\"*;.jsp*\") Web.status=200 Web.http_method=POST) OR (Web.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`", "how_to_implement": "The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "description": "The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` ((http.url=\"*?jsp=*\" AND http.url=\"*;.jsp*\") http.status=200 http_method=POST) OR (http.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "description": "The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server's security.", "references": ["https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` http.url IN (\"*../admin/diagnostic.jsp*\", \"*../app/https/settings/*\", \"*../app/pipeline*\", \"*../app/oauth/space/createBuild.html*\", \"*../res/*\", \"*../update/*\", \"*../.well-known/acme-challenge/*\", \"*../app/availableRunners*\", \"*../app/https/settings/setPort*\", \"*../app/https/settings/certificateInfo*\", \"*../app/https/settings/defaultHttpsPort*\", \"*../app/https/settings/fetchFromAcme*\", \"*../app/https/settings/removeCertificate*\", \"*../app/https/settings/uploadCertificate*\", \"*../app/https/settings/termsOfService*\", \"*../app/https/settings/triggerAcmeChallenge*\", \"*../app/https/settings/cancelAcmeChallenge*\", \"*../app/https/settings/getAcmeOrder*\", \"*../app/https/settings/setRedirectStrategy*\") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "JetBrains TeamCity RCE Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "description": "The following analytic detects attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it may indicate an unauthenticated attacker attempting to gain administrative access via Remote Code Execution (RCE). If confirmed malicious, this could allow the attacker to execute arbitrary code, potentially compromising the entire TeamCity environment and leading to further unauthorized access and data breaches.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"analytic_story": ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/app/rest/users/id:1/tokens/RPC2*\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_rce_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Juniper Networks Remote Code Execution Exploit Detection", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "description": "The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/", "https://vulncheck.com/blog/juniper-cve-2023-36845"], "tags": {"analytic_story": ["Juniper JunOS Remote Code Execution"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1105", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", "how_to_implement": "To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.", "known_false_positives": "Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "juniper_networks_remote_code_execution_exploit_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "author": "Jose Hernandez", "date": "2024-05-25", "version": 2, "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "description": "The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "author": "Jose Hernandez", "date": "2024-05-16", "version": 2, "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "description": "The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Network_Traffic", "Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Microsoft SharePoint Server Elevation of Privilege", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts. This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment. If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs"], "tags": {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29357 against $dest$ from $src$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/_api/web/siteusers*\",\"/_api/web/currentuser*\") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.", "known_false_positives": "False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "microsoft_sharepoint_server_elevation_of_privilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Monitor Web Traffic For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "description": "The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes", "https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`nginx_access_logs` uri_path IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "nginx_access_logs", "definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes"}, {"name": "nginx_connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PaperCut NG Remote Web Access Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "description": "The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges. This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server. If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "description": "The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "datamodel": ["Risk"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Spring4Shell Payload URL Request", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "description": "The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like \"tomcatwar.jsp,\" \"poc.jsp,\" and \"shell.jsp.\" This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "risk_score": 36, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SQL Injection with Long URLs", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "description": "The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "SQL injection attempt with url $url$ detected on $dest$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Supernova Webshell", "author": "John Stoner, Splunk", "date": "2024-05-26", "version": 2, "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "description": "The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing \"*logoimagehandler.ashx*codes*\", \"*logoimagehandler.ashx*clazz*\", \"*logoimagehandler.ashx*method*\", and \"*logoimagehandler.ashx*args*\". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMWare Aria Operations Exploit Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "description": "The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint \"/saas./resttosaasservlet.\" This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1133", "T1190", "T1210", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Server Side Template Injection Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "description": "The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing \"deviceudid\" and keywords like \"java.lang.ProcessBuilder\" or \"freemarker.template.utility.ObjectConstructor\" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 35, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "description": "The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web JSP Request via URL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "description": "The following analytic identifies URL requests associated with CVE-2022-22965 (Spring4Shell) exploitation attempts, specifically targeting webshell access on a remote webserver. It detects HTTP GET requests with URLs containing \".jsp?cmd=\" or \"j&cmd=\" patterns. This activity is significant as it indicates potential webshell deployment, which can lead to unauthorized remote command execution. If confirmed malicious, attackers could gain control over the webserver, execute arbitrary commands, and potentially escalate privileges, leading to severe data breaches and system compromise.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Remote ShellServlet Access", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "description": "The following analytic identifies attempts to access the Remote ShellServlet on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 and CVE-2023-22515. It leverages web data to detect URLs containing \"*plugins/servlet/com.jsos.shell/*\" with a status code of 200. This activity is significant as it is commonly associated with web shells and other malicious behaviors, potentially leading to unauthorized command execution. If confirmed malicious, attackers could gain remote code execution capabilities, compromising the server and potentially the entire network.", "references": ["http://www.servletsuite.com/servlets/shell.htm"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*plugins/servlet/com.jsos.shell/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`", "how_to_implement": "This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.", "known_false_positives": "False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_remote_shellservlet_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "description": "The following analytic detects HTTP requests containing payloads related to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP data to inspect the HTTP request body and form data for specific fields such as \"class.module.classLoader.resources.context.parent.pipeline.first\". This activity is significant as it indicates an attempt to exploit a critical vulnerability in Spring Framework, potentially leading to remote code execution. If confirmed malicious, this could allow attackers to gain unauthorized access, execute arbitrary code, and compromise the affected system.", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring Cloud Function FunctionRouter", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "description": "The following analytic identifies HTTP POST requests to the Spring Cloud Function endpoint containing \"functionRouter\" in the URL. It leverages the Web data model to detect these requests based on specific fields such as http_method, url, and http_user_agent. This activity is significant because it targets CVE-2022-22963, a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept exploits available. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "author": "Michael Haag, Nathaniel Stearns, Splunk", "date": "2024-05-16", "version": 2, "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "description": "The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WordPress Bricks Builder plugin RCE", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "description": "The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path \"/wp-json/bricks/v1/render_element\" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "tags": {"analytic_story": ["WordPress Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/wp-json/bricks/v1/render_element\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`", "how_to_implement": "The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed.", "known_false_positives": "False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wordpress_bricks_builder_plugin_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WS FTP Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "description": "The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests to the \"/AHT/AhtApiService.asmx/AuthUser\" URL with a status code of 200. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/8296/files", "https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://github.com/rapid7/metasploit-framework/pull/18414"], "tags": {"analytic_story": ["WS FTP Server Critical Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/AHT/AhtApiService.asmx/AuthUser\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ws_ftp_remote_code_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Adware Activities Threat Blocked", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "3407b250-345a-4d71-80db-c91e555a3ece", "description": "The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_adware_activities_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "description": "The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler's behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=\"Behavior Analysis\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_behavior_analysis_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "description": "The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 32, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_cryptominer_downloaded_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Employment Search Web Activity", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-11", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "description": "The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 4, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlsupercategory=\"Job/Employment Search\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_employment_search_web_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Exploit Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "description": "The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_exploit_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Legal Liability Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "description": "The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlclass=\"Legal Liability\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_legal_liability_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Malware Activity Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "description": "The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_malware_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "description": "The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=\"HTML.Phish*\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_phishing_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Potentially Abused File Download", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "b0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` url IN (\"*.scr\", \"*.dll\", \"*.bat\", \"*.lnk\") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_potentially_abused_file_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "description": "The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as \"Privacy Risk.\" Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked urlclass=\"Privacy Risk\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": ["Risk"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_privacy_risk_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "a0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_scam_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Virus Download threat blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-17", "version": 2, "id": "aa19e627-d448-4a31-85cd-82068dec5691", "description": "The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_virus_download_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}]} -======= -{"detections": [{"name": "CrushFTP Server Side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "description": "This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "tags": {"analytic_story": ["CrushFTP Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`crushftp` | rex field=_raw \"\\[(?HTTPS|HTTP):(?[^\\:]+):(?[^\\:]+):(?\\d+\\.\\d+\\.\\d+\\.\\d+)\\] (?READ|WROTE): \\*(?[A-Z]+) (?[^\\s]+) HTTP/[^\\*]+\\*\" | eval message=if(match(_raw, \"INCLUDE\") and isnotnull(src_ip), \"traces of exploitation by \" . src_ip, \"false\") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`", "how_to_implement": "CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs.", "known_false_positives": "False positives should be limited, however tune or filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "crushftp", "definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "crushftp_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Login Attempts to Routers", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "description": "The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Risky SPL using Pretrained ML Model", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "date": "2024-05-26", "version": 2, "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "description": "The following analytic identifies potentially risky SPL commands executed by users. It leverages a pretrained machine learning text classifier that analyzes command text, user, and search type to assign a risk score between 0 and 1. This detection is significant as it helps identify suspicious or unauthorized search activities that could indicate malicious intent or misuse of the Splunk environment. If confirmed malicious, such activity could lead to unauthorized data access, data exfiltration, or further exploitation of the system.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email Attachments With Lots Of Spaces", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "description": "The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email files written outside of the Outlook directory", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 4, "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "description": "The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Email servers sending high volume traffic to hosts", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "description": "The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Email For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-04-16", "version": 3, "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "description": "The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "No Windows Updates in a time frame", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "description": "The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "datamodel": ["Updates"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "description": "The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]\"", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials.", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta IDP Lifecycle Modifications", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "description": "The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.", "references": ["https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]\"", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (\"system.idp.lifecycle.activate\",\"system.idp.lifecycle.create\",\"system.idp.lifecycle.delete\",\"system.idp.lifecycle.deactivate\") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_idp_lifecycle_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta MFA Exhaustion Hunt", "author": "Michael Haag, Marissa Bower, Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "description": "The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "description": "The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor \"OKTA_VERIFY_PUSH.\" The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems.", "references": ["https://attack.mitre.org/techniques/T1621", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "description": "The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.", "references": ["https://attack.mitre.org/techniques/T1556/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype=\"OktaIM2:log\" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Accounts Locked Out", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "description": "The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.", "risk_score": 49, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_multiple_accounts_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "author": "John Murphy, Okta, Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "description": "The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "description": "The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action=\"failure\" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta New API Token Created", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "description": "The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta New Device Enrolled on Account", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "description": "The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.", "risk_score": 24, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is possible that the user has legitimately added a new device to their account. Please verify this activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "description": "The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason \"FastPass declined phishing attempt.\" This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Risk Threshold Exceeded", "author": "Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-28", "version": 3, "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "description": "The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from \"Suspicious Okta Activity,\" \"Okta Account Takeover,\" and \"Okta MFA Exhaustion\" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "User", "role": ["Victim"]}], "message": "Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN (\"Okta Account Takeover\", \"Suspicious Okta Activity\",\"Okta MFA Exhaustion\") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name(\"All_Risk\")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "This search leverages the Risk Framework from Enterprise Security. Ensure that \"Suspicious Okta Activity\", \"Okta Account Takeover\", and \"Okta MFA Exhaustion\" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed.", "known_false_positives": "False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.", "datamodel": ["Risk"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Successful Single Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 2, "id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "description": "The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where \"Okta Verify\" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment.", "references": ["https://sec.okta.com/everythingisyes", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$].", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !=\"Okta Verify\" | `okta_successful_single_factor_authentication_filter`", "how_to_implement": "This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Suspicious Activity Reported", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 3, "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "description": "The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities.", "known_false_positives": "False positives should be minimal, given the high fidelity of this detection. marker.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Suspicious Use of a Session Cookie", "author": "Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 3, "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "description": "The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"analytic_story": ["Okta Account Takeover", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur, depending on the organization's size and the configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Threat Detected", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "description": "The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "app", "type": "Endpoint", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Unauthorized Access to Application", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "5f661629-9750-4cb9-897c-1f05d6db8727", "description": "The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action=\"failure\" by _time Authentication.src Authentication.user | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_unauthorized_access_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta User Logins from Multiple Cities", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 2, "id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "description": "The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Path traversal SPL injection", "author": "Rod Soto, Splunk", "date": "2024-05-26", "version": 3, "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "description": "The following analytic identifies attempts at path traversal in search parameters, which can lead to SPL injection. It detects this activity by searching for specific patterns in the `_internal` index that indicate path traversal attempts (e.g., \"../../../../\"). This activity is significant for a SOC because it can allow an attacker to manipulate the application to load data from incorrect endpoints, potentially running arbitrary SPL queries. If confirmed malicious, this could lead to unauthorized data access, code execution, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "author": "Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "description": "The following analytic identifies potential persistent Cross-Site Scripting (XSS) attacks in Splunk Enterprise 9.0 versions before 9.0.4 through user interface views. It leverages audit logs from the `audit_searches` data source to detect actions involving Base64-encoded images in error messages. This activity is significant because it can allow attackers to inject malicious scripts that execute in the context of other users, leading to unauthorized actions or data exposure. If confirmed malicious, this could result in persistent control over the affected Splunk instance, compromising its integrity and confidentiality.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Mismatch Auth Source and Verification Response", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "description": "The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$].", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` (\"result.status\" IN (\"SUCCESS*\",\"FAIL*\",\"UNSUCCESSFUL*\") NOT \"result.message\" IN (\"*pair*\",\"*create*\",\"*delete*\")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` (\"result.status\" IN (\"POLICY\") AND \"resources{}.ipaddress\"=*) AND \"result.message\" IN(\"*Action: Authenticate*\",\"*Action: Approve*\",\"*Action: Allowed*\") | rex field=result.message \"IP Address: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Action: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application Name: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application ID: (?:N\\/A)?(?.+)?\\n\" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by users working out the geographic region where the organizations services or technology is hosted.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_mismatch_auth_source_and_verification_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Multiple Failed MFA Requests For User", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "c1bc706a-0025-4814-ad30-288f38865036", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.", "references": ["https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.status\" IN (\"FAILURE,authFail\",\"UNSUCCESSFUL_ATTEMPT\") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID New MFA Method After Credential Reset", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "description": "The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677", "https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`", "how_to_implement": "Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_after_credential_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID New MFA Method Registered For User", "author": "Steven Dick", "date": "2024-05-07", "version": 2, "id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$], the device [$object$] was $action$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\"=\"Device Paired*\" result.status=\"SUCCESS\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "pingid_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "author": "Rod Soto", "date": "2024-05-17", "version": 2, "id": "356bd3fe-f59b-4f64-baa1-51495411b7ad", "description": "The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0806"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attack against splunk_server $splunk_server$ through abuse of the runshellscript command", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *runshellscript* | eval log_split=split(_raw, \"runshellscript: \") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,\"\\[\",\"\"),\"\\]\",\"\"),\"'\",\"\") | eval array_indices=split(data_cleaned,\",\") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != \"*C:*\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter`", "how_to_implement": "Must have access to internal indexes. Only applies to Splunk on Windows versions.", "known_false_positives": "The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_absolute_path_traversal_using_runshellscript_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "description": "The following analytic identifies the presence of environment variables in Splunk dashboard drilldown URLs. It uses the REST API to query dashboards for specific patterns in the XML data. This activity is significant because it can expose sensitive tokens from privileged users if an attacker shares a malicious dashboard. If confirmed malicious, this could allow an attacker to detokenize variables and potentially gain unauthorized access to sensitive information or escalate privileges within the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 2, "id": "a053e6a6-2146-483a-9798-2d43652f3299", "description": "The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "eai:acl.app", "type": "Other", "role": ["Victim"]}], "message": "Please review $eai:acl.app$ for possible malicious lookups", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`", "how_to_implement": "Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable.", "known_false_positives": "This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "author": "Rod Soto, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "9a67e749-d291-40dd-8376-d422e7ecf8b5", "description": "The following analytic identifies exposed authentication tokens in debug logs within Splunk Enterprise. It leverages logs from the `splunkd` component with a DEBUG log level, specifically searching for event messages that validate tokens. This activity is significant because exposed tokens can be exploited by attackers to gain unauthorized access to the Splunk environment. If confirmed malicious, this exposure could lead to unauthorized data access, privilege escalation, and potential compromise of the entire Splunk infrastructure. Monitoring and addressing this vulnerability is crucial for maintaining the security and integrity of the Splunk deployment.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0301"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible JsonWebToken exposure, please investigate affected $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=JsonWebToken log_level=DEBUG eventtype=\"splunkd-log\" event_message=\"Validating token:*\" | rex \"Validating token: (?.*)\\.$\" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter`", "how_to_implement": "Requires access to internal Splunk indexes.", "known_false_positives": "Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9", "datamodel": ["Web"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_authentication_token_exposure_in_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "author": "Rod Soto", "date": "2024-05-24", "version": 2, "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "description": "The following analytic identifies attempts to exploit a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated user can execute arbitrary code via the dashboard PDF generation component. It detects this activity by analyzing events in the _internal index with the file=export parameter. This behavior is significant because it indicates a potential code injection attack, which could lead to remote code execution (RCE). If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary commands, and potentially compromise the entire Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "description": "The following analytic detects the use of the 'delete' command in Splunk, which can be used to remove queried data. This detection leverages the Splunk Audit data model, specifically monitoring ad-hoc searches containing the 'delete' command by non-system users. This activity is significant because the 'delete' command is rarely used and can indicate potential data tampering or unauthorized data removal. If confirmed malicious, this activity could lead to the loss of critical log data, hindering incident investigations and compromising the integrity of the monitoring environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "description": "The following analytic identifies the execution of risky commands within the Splunk platform, such as `runshellscript`, `delete`, and `sendemail`. It leverages the Search_Activity data model to detect ad hoc searches containing these commands, excluding those run by the splunk-system-user. This activity is significant because it may indicate attempts at data exfiltration, deletion, or other unauthorized actions by a malicious user. If confirmed malicious, this could lead to data loss, unauthorized data transfer, or system compromise, severely impacting the organization's security posture.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json", "https://advisory.splunk.com/advisories/SVD-2024-0302"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "date": "2024-05-15", "version": 2, "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "description": "The following analytic identifies the execution of risky SPL commands with abnormally long run times by leveraging a machine learning model named \"risky_command_abuse.\" It uses the Splunk Audit data model to compare current search activities against a baseline of the past seven days. This activity is significant for a SOC as it can indicate potential misuse or abuse of powerful SPL commands, which could lead to unauthorized data access or system manipulation. If confirmed malicious, this activity could allow an attacker to execute arbitrary scripts, delete data, or exfiltrate sensitive information.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "description": "The following analytic identifies attempts to exploit a cross-site request forgery (CSRF) vulnerability in the Splunk Secure Gateway (SSG) app's kvstore_client endpoint. It detects GET requests to the vulnerable endpoint using internal index data, focusing on specific URI paths and HTTP methods. This activity is significant because it can allow unauthorized updates to SSG KV store collections, potentially leading to data manipulation or unauthorized access. If confirmed malicious, this could enable attackers to alter critical configurations or exfiltrate sensitive information, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0212"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CSRF exploitation attempt from $splunk_server$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` uri_path=\"/*/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-25", "version": 2, "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "description": "The following analytic identifies attempts to exfiltrate data by executing a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages the `audit_searches` data source to detect suspicious `mstats` commands indicative of injection attempts. This activity is significant as it may indicate a phishing-based attack where an attacker compels a victim to initiate a malicious request, potentially leading to unauthorized data access. If confirmed malicious, this could result in significant data exfiltration, compromising sensitive information and impacting the organization's security posture.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential data exfiltration attack using SID query by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 2, "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "description": "The following analytic identifies improper TLS validation configuration on Splunk search heads and peers post version 9. It leverages REST API calls to retrieve server information and SSL configuration settings, checking fields like `sslVerifyServerCert` and `sslVerifyServerName`. This activity is significant for a SOC as improper TLS settings can expose the infrastructure to man-in-the-middle attacks and data breaches. If confirmed malicious, attackers could intercept or manipulate data, compromising the integrity and confidentiality of communications within the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "description": "The following analytic identifies Splunk forwarder connections that are not using TLS encryption. It leverages data from the `splunkd` logs, specifically looking for connections where the `ssl` field is set to \"false\". This activity is significant because unencrypted connections can expose sensitive data and allow unauthorized access, posing a security risk. If confirmed malicious, an attacker could exploit this vulnerability to download or publish forwarder bundles, potentially leading to arbitrary code execution and further compromise of the environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "message": "$hostname$ is not using TLS when forwarding data", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS Using Malformed SAML Request", "author": "Rod Soto", "date": "2024-05-29", "version": 2, "id": "8e8a86d5-f323-4567-95be-8e817e2baee6", "description": "The following analytic detects a denial of service (DoS) attempt using a malformed SAML request targeting the /saml/acs REST endpoint in Splunk Enterprise versions lower than 9.0.6 and 8.2.12. It leverages `splunkd` logs, specifically looking for error messages containing \"xpointer\" in the `expr` field. This activity is significant because it can cause the Splunk daemon to crash or hang, disrupting service availability. If confirmed malicious, this attack could lead to prolonged downtime, impacting the organization's ability to monitor and respond to security events.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0802"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible DoS attack against Splunk Server $splunk_server$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`", "how_to_implement": "To run this search, you must have access to the _internal index.", "known_false_positives": "This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_using_malformed_saml_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DOS Via Dump SPL Command", "author": "Rod Soto", "date": "2024-05-03", "version": 2, "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "description": "The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack with Victim $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS via Malformed S2S Request", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 3, "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "description": "The following analytic identifies attempts to exploit a Denial of Service (DoS) vulnerability in the Splunk-to-Splunk (S2S) protocol by detecting malformed S2S requests. It leverages `splunkd` logs, specifically looking for \"ERROR\" level logs from the \"TcpInputProc\" component with the thread name \"FwdDataReceiverThread\" and the message \"Invalid _meta atom.\" This activity is significant as it targets a known vulnerability that could disrupt Splunk services. If confirmed malicious, this could lead to service outages, impacting the availability and reliability of Splunk for monitoring and analysis.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "45766810-dbb2-44d4-b889-b4ba3ee0d1f5", "description": "The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0710"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Denial of Service attack against $splunk_server$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webs` log_level=INFO message=\"ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_dos_via_post_request_datamodel_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_webs", "definition": "index=_internal sourcetype=splunk_web_service", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_via_post_request_datamodel_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DOS via printf search function", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-25", "version": 2, "id": "78b48d08-075c-4eac-bd07-e364c3780867", "description": "The following analytic identifies the use of the `printf` SPL function in Splunk searches, which can be exploited for a denial of service (DoS) attack. It detects this activity by querying the `audit_searches` data source for specific patterns involving `makeresults`, `eval`, `fieldformat`, and `printf` functions, excluding searches by the `splunk_system_user`. This activity is significant because it targets a known vulnerability in Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, potentially disrupting the availability of the Splunk instance. If confirmed malicious, this could lead to service outages and impact the monitoring and logging capabilities of the organization.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack against $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` \"*makeresults * eval * fieldformat *printf*\" user!=\"splunk_system_user\" search!=\"*audit_searches*\" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`", "how_to_implement": "This search requires the ability to search internal indexes.", "known_false_positives": "This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_dos_via_printf_search_function_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Edit User Privilege Escalation", "author": "Rod Soto, Chase Franklin", "date": "2024-05-15", "version": 2, "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "description": "The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as \"change_own_password\" and \"edit_password\" where the info field is \"granted\" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible attempt to abuse edit_user function by $user$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "description": "The following analytic identifies crashes in the Splunk search app caused by specially crafted ZIP files, affecting Universal Forwarder versions 8.1.11 and 8.2 versions below 8.2.7.1. It detects this activity by monitoring Universal Forwarder error logs for specific messages indicating invalid or binary file issues. This activity is significant because it can disrupt Splunk operations, leading to potential data loss or monitoring gaps. If confirmed malicious, this attack could result in a denial of service, hindering the organization's ability to monitor and respond to other security incidents effectively.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-10", "version": 2, "id": "8f0e8380-a835-4f2b-b749-9ce119364df0", "description": "The following analytic detects unauthorized attempts to reload Splunk KV Store collections via the REST API. It leverages internal index logs to identify POST requests to the `/servicesNS/nobody/search/admin/collections-conf/_reload` endpoint, focusing on status codes starting with '2'. This activity is significant as it may indicate improper permission handling, potentially leading to unauthorized deletion of KV Store collections. If confirmed malicious, this could result in data loss or unauthorized data manipulation, impacting the integrity and availability of critical Splunk data.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0105"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attempt to access KV Store collections at $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method=\"POST\" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter`", "how_to_implement": "Requires access to internal indexes and REST API enabled instances.", "known_false_positives": "This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_enterprise_kv_store_incorrect_authorization_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-07-01", "version": 3, "id": "947d4d2e-1b64-41fc-b32a-736ddb88ce97", "description": "The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0108"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Windows Deserialization exploitation via irregular path file against $host$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunk_python` request_path=\"/*/app/search/C:\\\\Program\" *strings* | rex \"request_path=(?[^\\\"]+)\" | rex field=file_path \"[^\\\"]+/(?[^\\\"\\'\\s/\\\\\\\\]+)\" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter`", "how_to_implement": "Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.", "known_false_positives": "Irregular path with files that may be purposely called for benign reasons may produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_enterprise_windows_deserialization_file_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "7f6a07bd-82ef-46b8-8eba-802278abd00e", "description": "The following analytic detects the creation of malformed Investigations in Splunk Enterprise Security (ES) versions lower than 7.1.2, which can lead to a denial of service (DoS). It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` with error statuses during investigation creation. This activity is significant as it can disrupt the functionality of the Investigations manager, hindering incident response efforts. If confirmed malicious, this could prevent security teams from accessing critical investigation data, severely impacting their ability to manage and respond to security incidents effectively.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0102"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Denial of Service Attack against Splunk ES Investigation Manager by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter`", "how_to_implement": "This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.", "known_false_positives": "The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "bb85b25e-2d6b-4e39-bd27-50db42edcb8f", "description": "The following analytic detects attempts to perform a denial of service (DoS) attack through investigation attachments in Splunk Enterprise Security (ES) versions below 7.1.2. It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` for error statuses related to investigation objects. This activity is significant because it can render the Investigation feature inaccessible, disrupting incident response and forensic analysis. If confirmed malicious, this attack could prevent security teams from effectively managing and investigating security incidents, leading to prolonged exposure and potential data breaches.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0101"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Denial of Service detected at Splunk ES affecting $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter`", "how_to_implement": "This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2.", "known_false_positives": "This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_es_dos_through_investigation_attachments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "author": "Rod Soto, Chase Franklin", "date": "2024-05-27", "version": 2, "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "description": "The following analytic identifies attempts to exploit an HTTP response splitting vulnerability via the rest SPL command in Splunk. It detects this activity by analyzing audit logs for specific search commands that include REST methods like POST, PUT, PATCH, or DELETE. This behavior is significant because it indicates a potential attempt to access restricted REST endpoints, which could lead to unauthorized access to sensitive information. If confirmed malicious, this activity could allow an attacker to access restricted content, such as password files, by injecting commands into HTTP requests.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "message": "Suspicious access by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "author": "Chase Franklin, Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "08978eca-caff-44c1-84dc-53f17def4e14", "description": "The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-20", "version": 2, "id": "b7b82980-4a3e-412e-8661-4531d8758735", "description": "The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0111"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "version", "type": "Other", "role": ["Other"]}], "message": "Vulnerable $version$ of Splunk Add-on Builder found - Upgrade Immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/apps/local | search disabled=0 core=0 label=\"Splunk Add-on Builder\" | dedup label | search version < 4.1.4 | eval WarningMessage=\"Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111\" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter`", "how_to_implement": "This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed.", "known_false_positives": "This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_information_disclosure_in_splunk_add_on_builder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure on Account Login", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "2bae5d19-6d1b-4db0-82ab-0af5ac5f836c", "description": "This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server.", "references": ["https://advisory.splunk.com/SVD-2024-0716"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "Hostname", "role": ["Victim"]}], "message": "Possible user enumeration attack against $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=UiAuth status=failure action=login TcpChannelThread | stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_information_disclosure_on_account_login_filter`", "how_to_implement": "Requires access to internal indexes _internal.", "known_false_positives": "This is a hunting search and requires operator to search for large number of login failures from several users indicating possible user enumeration attempts. May capture genuine login failures.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_information_disclosure_on_account_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk list all nonstandard admin accounts", "author": "Rod Soto", "date": "2024-05-21", "version": 2, "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "description": "The following analytic identifies nonstandard Splunk accounts with administrative rights on the instance, excluding the default admin account. It uses REST API calls to retrieve user data and filters for accounts with admin capabilities. This activity is significant as unauthorized admin accounts can indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could leverage these accounts to execute commands, escalate privileges, or persist within the environment, posing a significant risk to the integrity and security of the Splunk instance.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential stored XSS attempt from $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "description": "The following analytic identifies low-privilege users attempting to view hashed Splunk passwords by querying the conf-user-seed REST endpoint. It leverages data from the `splunkd_web` logs, specifically monitoring access to the conf-user-seed endpoint. This activity is significant because it can indicate an attempt to escalate privileges by obtaining hashed credentials, potentially leading to admin account takeover. If confirmed malicious, this could allow an attacker to gain administrative control over the Splunk instance, compromising the entire environment's security.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempt to access Splunk hashed password file from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-22", "version": 2, "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "description": "The following analytic identifies path traversal attempts in the Splunk App for Lookup File Editing. It detects specially crafted web requests targeting lookup files by analyzing the `uri_query` field in the `_internal` index. This activity is significant because it allows low-privilege users to read and write to restricted areas of the Splunk installation directory, potentially accessing sensitive files like password hashes. If confirmed malicious, this could lead to unauthorized access, data breaches, and further exploitation of the Splunk environment.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "author": "Rod Soto", "date": "2024-05-20", "version": 2, "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "description": "The following analytic detects attempts to bypass URL validation in Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13 by targeting the vulnerable bootstrap version 2.3.1. It leverages `splunkd_web` logs, specifically monitoring GET requests to JavaScript files within the vulnerable bootstrap path. This activity is significant as it can allow a low-privileged user to perform path traversal, potentially accessing restricted and confidential information. If confirmed malicious, this could lead to unauthorized data access and compromise of sensitive information, including targeting admin users.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "author": "Lou Stella, Splunk", "date": "2024-05-23", "version": 2, "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "description": "The following analytic identifies unauthorized forwarder bundle downloads from Splunk Deployment Servers. It leverages native Splunk logs, specifically the `splunkd` component \"PackageDownloadRestHandler,\" to detect instances where an unauthenticated client may have downloaded forwarder bundles. This activity is significant because it could indicate a potential security breach, allowing unauthorized access to sensitive configurations and applications. If confirmed malicious, an attacker could gain insights into the deployment server's environment, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "$peer$ downloaded apps from $host$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "author": "Lou Stella, Splunk", "date": "2024-05-28", "version": 2, "id": "900892bf-70a9-4787-8c99-546dd98ce461", "description": "The following analytic identifies weak encryption configurations in Splunk related to TLS validation within the httplib and urllib Python libraries. It uses REST API calls to check specific configuration settings on the search head and its peers, ensuring compliance with security advisories. This activity is significant for a SOC as weak encryption can be exploited for protocol impersonation attacks, leading to unauthorized access. If confirmed malicious, attackers could intercept and manipulate data, compromising the integrity and confidentiality of the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "datamodel": ["Web"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "author": "Rod Soto, Splunk", "date": "2024-05-21", "version": 2, "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "description": "The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Splunk default issued certificate at $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "description": "The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when \"simpleRequest SSL certificate validation is enabled without hostname verification.\" This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Failed to validate certificate on $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "author": "Rod Soto", "date": "2024-05-15", "version": 2, "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "description": "The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE PDFgen Render", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "bc2b7437-0400-438b-9537-21ab5b7d2d53", "description": "This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0701"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_pdfgen _raw IN (\"*base64*\", \"*lambda*\", \"*system*\") | stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_pdfgen_render_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This search will hunt for exploitation attempts against Splunk PDFgen render function, and not all requests are necesarily malicious so there will be false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_pdfgen_render_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "8598f9de-bba8-42a4-8ef0-12e1adda4131", "description": "The following detection provides the ability to detect remote code execution attempts against a script named copybuckets present within the splunk_archiver application by calling this script as an external lookup.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0705"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attempt against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index=_internal sourcetype=\"splunk_archiver-too_small\" *.csv | rex field=_raw \"Invoking command:\\s(?.*)\" | stats min(_time) as firstTime max(_time) as lastTime values(command) as command values(severity) as severity by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_external_lookup_copybuckets_filter`", "how_to_implement": "Requires access to internal indexes", "known_false_positives": "An operator must identify elements indicatives of command execution requests by looking at regex data being extracted from the log. Not all the requests will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_external_lookup_copybuckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Serialized Session Payload", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-26", "version": 2, "id": "d1d8fda6-874a-400f-82cf-dcbb59d8e4db", "description": "The following analytic detects the execution of a specially crafted query using the 'collect' SPL command in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1. It leverages audit logs to identify searches containing both 'makeresults' and 'collect' commands. This activity is significant because it can indicate an attempt to serialize untrusted data, potentially leading to arbitrary code execution. If confirmed malicious, this could allow an attacker to execute code within the Splunk environment, leading to unauthorized access and control over the system.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential abuse of the 'collect' SPL command against $splunk_server$ by detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` file=* (search=\"*makeresults*\" AND search=\"*collect*\") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter`", "how_to_implement": "Requires access to the _audit index.", "known_false_positives": "There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_serialized_session_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "author": "Rod Soto", "date": "2024-05-16", "version": 2, "id": "baa41f09-df48-4375-8991-520beea161be", "description": "The following analytic identifies potential exploitation attempts against the Splunk Secure Gateway App's Mobile Alerts feature in Splunk versions 9.0, 8.2.x, and 8.1.x. It detects suspicious activity by monitoring requests to the mobile alerts endpoint using specific URI paths and query parameters. This activity is significant because an authenticated user could exploit this vulnerability to execute arbitrary operating system commands remotely. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation attempt from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via User XSLT", "author": "Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk", "date": "2024-05-16", "version": 2, "id": "6cb7e011-55fb-48e3-a98d-164fa854e37e", "description": "The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` ((uri=\"*NO_BINARY_CHECK=1*\" AND \"*input.path=*.xsl*\") OR uri=\"*dispatch*.xsl*\") AND uri!= \"*splunkd_ui*\" | rex field=uri \"(?=\\s*([\\S\\s]+))\" | eval decoded_field=urldecode(string) | eval action=case(match(status,\"200\"),\"Allowed\",match(status,\"303|500|401|403|404|301|406\"),\"Blocked\",1=1,\"Unknown\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value=\"N/A\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field | `splunk_rce_via_user_xslt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "author": "Rod Soto, Chase Franklin", "date": "2024-05-23", "version": 2, "id": "d532d105-c63f-4049-a8c4-e249127ca425", "description": "The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential XSS exploitation against radio template by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "author": "Rod Soto", "date": "2024-05-23", "version": 2, "id": "182f9080-4137-4629-94ac-cb1083ac981a", "description": "The following analytic identifies attempts to exploit a reflected cross-site scripting (XSS) vulnerability on the app search table endpoint in Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12. It detects this activity by analyzing web request logs for specific dataset commands (`makeresults`, `count`, `eval`, `baseSPL`) within the `splunkd_web` index. This activity is significant because successful exploitation can lead to the execution of arbitrary commands on the Splunk platform, potentially compromising the entire instance. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and manipulate data within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0801"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible XSS attack against from $user$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` (dataset_commands=\"*makeresults*\" AND dataset_commands=\"*count*\" AND dataset_commands=\"*eval*\" AND dataset_commands=\"*baseSPL*\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_on_app_search_table_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-07-01", "version": 4, "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "description": "The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture.", "references": ["https://advisory.splunk.com/advisories"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats fillnull_value=\"N/A\" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command_20240601.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "fields_list": null}]}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "ed1209ef-228d-4dab-9856-be9369925a5c", "description": "This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0717"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *script* *eval* | stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_stored_xss_conf_web_settings_on_premises_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_conf_web_settings_on_premises_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "description": "The following analytic identifies attempts to exploit a stored cross-site scripting (XSS) vulnerability in Splunk Enterprise via the Data Model object name field. It detects this activity by analyzing web access logs (`splunkd_webx`) for specific URI patterns and non-null query parameters. This activity is significant because it allows authenticated users to inject and store malicious scripts, leading to persistent XSS attacks. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of other users, potentially leading to data theft, session hijacking, or further compromise of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1109", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri=/*/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "fd852b27-1882-4505-9f2c-64dfb96f4fc1", "description": "The following hunting detection provides fields related to /service/messages endpoints where specially crafted bulletin message can exploit stored XSS.", "references": ["https://advisory.splunk.com/SVD-2024-0713"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "message", "type": "Other", "role": ["Other"]}], "message": "Please investigate $message for possible XSS attack in bulletin message $message$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | search message=\"*http*\" | table id author message title | `splunk_stored_xss_via_specially_crafted_bulletin_message_filter`", "how_to_implement": "Need access to Splunk REST api data via search.", "known_false_positives": "Must look at messages field and find malicious suspicious characters or hyperlinks. Not all requests to this endpoint will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_stored_xss_via_specially_crafted_bulletin_message_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "d67594fe-c317-41b8-9319-ec8428d5c2ea", "description": "The following hunting search provides information on splunkd crash as a result of a Denial of Service Exploitation via null pointer references which targets 'services/cluster/config' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0702"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attack against $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"Segmentation fault\" \"POST /services/cluster/config\" | stats count min(_time) as firstTime max(_time) as lastTime by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_dos_via_null_pointer_references_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives. An operator needs to find proximity and detail of requests targeting cluster config endpoint and subsequent Segmentation fault in splunk crash log.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_unauthenticated_dos_via_null_pointer_references_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "author": "Rod Soto", "date": "2024-05-19", "version": 2, "id": "de3908dc-1298-446d-84b9-fa81d37e959b", "description": "The following analytic identifies potential log injection attempts into the Splunk server via specially crafted web URLs. It detects ANSI escape codes within the `uri_path` field of `splunkd_webx` logs. This activity is significant as it can lead to log file manipulation, potentially obfuscating malicious actions or misleading analysts. If confirmed malicious, an attacker could manipulate log files to hide their tracks or execute further attacks, compromising the integrity of the logging system and making incident response more challenging.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0606"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri_path IN (\"*\\x1B*\", \"*\\u001b*\", \"*\\033*\", \"*\\0x9*\", \"*\\0x8*\") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`", "how_to_implement": "This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.", "known_false_positives": "This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unauthenticated_log_injection_web_service_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "e7c2b064-524e-4d65-8002-efce808567aa", "description": "This hunting search provides information on exploitation attempts against /modules/messaging endpoint, the exploit can be clearly seen as the ../ which signals an attempt to traverse target directories.", "references": ["https://advisory.splunk.com/SVD-2024-0711"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible directory traversal attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"/*/modules/messaging/*..*\" | stats min(_time) as firstTime max(_time) as lastTime values(method) as method values(uri_path) as uri_path by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_path_traversal_modules_messaging_filter`", "how_to_implement": "Only applies to Microsoft Windows installations of Splunk.", "known_false_positives": "May catch other exploitation attempts using path traversal related characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unauthenticated_path_traversal_modules_messaging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "84afda04-0cd6-466b-869e-70d6407d0a34", "description": "This hunting search provides information on finding possible creation of unauthorized items against /experimental endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0715"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible unauthorized creation of experimental items from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` */experimental/* method=POST | stats count min(_time) as firstTime max(_time) as lastTime by clientip method uri_path uri status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthorized_experimental_items_creation_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "Not all requests are going to be malicious, there will be false positives, however operator must find suspicious items that might have been created by an unauthorized user.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unauthorized_experimental_items_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthorized Notification Input by User", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "4b7f368f-4322-47f8-8363-2c466f0b7030", "description": "This hunting search provides information to track possible exploitation of a lower privilege user able to push notifications that may include malicious code as notifications for all users in Splunk.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0709"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Please review messages at $splunk_server for possible unauthorized notification input.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | table title message severity timeCreated_iso published splunk_server author | `splunk_unauthorized_notification_input_by_user_filter`", "how_to_implement": "Requires access to Splunk rest data.", "known_false_positives": "This search will produce false positives which may include benign notifications from other Splunk entities, attention to suspicious or anomalous elements in notifications helps identify actual exploitation of this vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_unauthorized_notification_input_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "author": "Rod Soto, Splunk", "date": "2024-05-28", "version": 2, "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "description": "The following analytic identifies user activity related to uploading lookup tables with unnecessary filename extensions in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It detects this activity by monitoring HTTP methods (POST, DELETE) and specific URI paths in the internal `splunkd_access` logs. This behavior is significant because it can indicate attempts to upload potentially malicious files disguised as lookup tables. If confirmed malicious, this activity could allow an attacker to execute unauthorized code or manipulate data within the Splunk environment, leading to potential data breaches or system compromise.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk User Enumeration Attempt", "author": "Lou Stella, Splunk", "date": "2024-05-21", "version": 3, "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "description": "The following analytic identifies attempts to enumerate usernames in Splunk by detecting multiple failed authentication attempts from the same source. It leverages data from the `_audit` index, specifically focusing on failed authentication events. This activity is significant for a SOC because it can indicate an attacker trying to discover valid usernames, which is a precursor to more targeted attacks like password spraying or brute force attempts. If confirmed malicious, this activity could lead to unauthorized access, compromising the security of the Splunk environment and potentially exposing sensitive data.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "risk_score": 40, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Highlighted JSON Events", "author": "Rod Soto, Splunk", "date": "2024-07-01", "version": 3, "id": "1030bc63-0b37-4ac9-9ae0-9361c955a3cc", "description": "The following analytic identifies potential exploitation of a Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise 9.1.2. It detects suspicious requests to the Splunk web GUI that may execute JavaScript within script tags. This detection leverages logs from the `splunkd_ui` data source, focusing on specific URI paths and HTTP methods. This activity is significant as it can allow attackers to execute arbitrary JavaScript, potentially accessing the API with the logged-in user's permissions. If the user is an admin, the attacker could create an admin account, leading to full control over the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1103"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation from $clientip$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` \"/*/splunkd/__raw/servicesNS/nobody/search/authentication/users\" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter`", "how_to_implement": "This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_highlighted_json_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Monitoring Console", "author": "Lou Stella, Splunk", "date": "2024-05-17", "version": 2, "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "description": "The following analytic identifies attempts to exploit a reflective Cross-Site Scripting (XSS) vulnerability in the Splunk Distributed Monitoring Console app. It detects GET requests with suspicious query parameters by analyzing `splunkd_web` logs in the _internal index. This activity is significant because it targets a known vulnerability (CVE-2022-27183) that could allow attackers to execute arbitrary scripts in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS in Save table dialog header in search page", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "description": "The following analytic identifies persistent cross-site scripting (XSS) attempts in the 'Save Table' dialog on the Splunk search page. It detects POST requests to the endpoint `/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model` containing potential XSS payloads. This activity is significant because it can allow a remote user with the \"power\" role to inject malicious scripts, leading to persistent XSS vulnerabilities. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of the affected user, potentially leading to data theft, session hijacking, or further exploitation within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1101", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation attempt from $clientip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` method=POST uri=/*/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "01e1e386-7656-4f36-a55a-52fe39b04a96", "description": "This is a composed hunting search that looks for POST requests to splunk_internal_metrics/data/ui/views which can be used to elevate privileges on the Splunk server via custom urls. The way to find privilege escalation is by looking at created users with high privielges after payload has been executed. This search looks at POST request and then looks at created users privileges.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack and privilege escalation via custom urls in dashboard against $host$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` method=POST /*/data/ui/views* | stats values(method) as method by _time index, sourcetype, host | eval event=\"post_request\" | append [| search `audittrail` action=\"edit_user\" operation=\"create\" | rex field=_raw \"object=\\\"(?.*)\\\"\" | stats count values(operation) as operation values(splunk_server) as splunk_server values(user) as user by _time index, sourcetype, host, newUser | eval event=\"create_user\"] | sort - _time | transaction host startswith=event=\"post_request\" endswith=event=\"create_user\" maxspan=10m | table _time index, sourcetype, host, method, user, splunk_server, operation, event, newUser eventcount | `splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter`", "how_to_implement": "Requires access to internal indexes _audit and _internal.", "known_false_positives": "This is a hunting search and requires operator to search for specific indicators of user creation in proximity to POST requests against vulnerable endpoint. It is not possible to detect payload during runtime.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "b0a67520-ae82-4cf6-b04e-9f6cce56830d", "description": "This is a hunting search that provides elements to find possible dashboards created with external URL references in order to elicit Server Side Request Forgery from /data/ui/views endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0714"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible SSRF attack from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` user=* uri_path=\"/*/manager/permissions/launcher/data/ui/views/*\" file=* | stats count min(_time) as firstTime max(_time) as lastTime by clientip user file host method uri_path uri_query | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_via_external_urls_in_dashboards_ssrf_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and requires an operator to search for specific indicators of Server Side Request Forgery attack against /data/ui/views. It is not possible to grab display the payloads of such requests, so this search provides users, ip addresses, requests, files, and queries that may indicate malicious intent. There will be false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_via_external_urls_in_dashboards_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk XSS via View", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-13", "version": 2, "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "description": "The following analytic identifies potential Cross-Site Scripting (XSS) attempts via the 'layoutPanel' attribute in the 'module' tag within XML Views in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It leverages internal logs from \"splunk_web_service\" and \"splunk_python\" sourcetypes, focusing on messages containing \"loadParams.\" This activity is significant as it can lead to unauthorized script execution within the Splunk Web interface, potentially compromising the security of the instance. If confirmed malicious, attackers could execute arbitrary scripts, leading to data theft, session hijacking, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "message": "Potential stored XSS attempt via $fileName$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email Attachment Extensions", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 4, "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "description": "The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.'", "known_false_positives": "None identified", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Java Classes", "author": "Jose Hernandez, Splunk", "date": "2024-05-19", "version": 2, "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "description": "The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Servers Executing Suspicious Processes", "author": "David Dorsey, Splunk", "date": "2024-05-11", "version": 2, "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "description": "The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model \"Endpoint.Processes\" to search for specific process names such as \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 2, "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "description": "The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment.", "references": [], "tags": {"analytic_story": ["Compromised User Account", "Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 2, "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "description": "The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "f2361e9f-3928-496c-a556-120cd4223a65", "description": "The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 2, "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "description": "The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "description": "The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the \"system:anonymous\" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-29", "version": 2, "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "description": "The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is \"system:anonymous\", `verb` is \"list\", and `objectRef.resource` is \"pods\", with `requestURI` set to \"/api/v1/pods\". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "author": "Patrick Bareiss, Splunk", "date": "2024-05-24", "version": 3, "id": "b3424bbe-3204-4469-887b-ec144483a336", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `amazon_security_lake` api.operation=DescribeEventAggregates \"http_request.user_agent\"!=\"AWS Internal\" \"src_endpoint.domain\"!=\"health.amazonaws.com\" | eval time = time/pow(10,3) | `security_content_ctime(time)` | bin span=5m time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-05-29", "version": 4, "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "description": "The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudTrail logging for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "description": "The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "description": "The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "description": "The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "739ed682-27e9-4ba0-80e5-a91b97698213", "description": "The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), \"%H\"), weekday=strftime(time/pow(10,3), \"%A\") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "description": "The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_users_asl", "definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Delete Policy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "description": "The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted AWS Policies from IP address $src_ip$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Failure Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "8d12f268-c567-4557-9813-f8389e235c06", "description": "The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has had mulitple failures while attempting to delete groups from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS IAM Successful Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "description": "The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has sucessfully deleted a user group from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`", "how_to_implement": "You must install the Data Lake Federated Analytics App and ingest the logs into Splunk.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS New MFA Method Registered For User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "description": "The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new virtual device is added to user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 3, "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "description": "The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ami_attribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Concurrent Sessions From Different Ips", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Console Login Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "55349868-5583-466f-98ab-d3beb321961e", "description": "The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Create Policy Version to allow all resources", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 5, "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "description": "The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_create_policy_version_to_allow_all_resources_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS CreateAccessKey", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS CreateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 3, "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "description": "The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access Failed Login", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "description": "The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has a login failure from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access GetPasswordData", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 2, "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "description": "The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Credential Access RDS Password reset", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-09", "version": 3, "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "description": "The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "database_id", "type": "Endpoint", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$database_id$ password has been reset from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "description": "The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "case_sensitive_match": null, "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "description": "The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "d308b0f1-edb7-4a62-a614-af321160710f", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Impair Security Services", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "description": "The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "author": "Bhavin Patel", "date": "2024-05-28", "version": 2, "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "description": "The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "description": "The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "description": "The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect attach to role policy", "author": "Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "description": "The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect permanent key creation", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "description": "The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect role creation", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "description": "The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts assume role abuse", "author": "Rod Soto, Splunk", "date": "2024-05-20", "version": 2, "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "description": "The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts get session token abuse", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "description": "The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-28", "version": 2, "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "description": "The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account is potentially compromised and user $user$ is trying to compromise other accounts.", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-18", "version": 3, "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "description": "The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Disable Bucket Versioning", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "657902a9-987d-4879-a1b2-e7a65512824b", "description": "The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS EC2 Snapshot Shared Externally", "author": "Bhavin Patel, Splunk", "date": "2024-05-07", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "description": "The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings High", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 3, "id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "description": "The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity high found in repository $repository$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "author": "Patrick Bareiss, Eric McGinnis Splunk", "date": "2024-05-15", "version": 3, "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "description": "The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Medium", "author": "Patrick Bareiss, Splunk", "date": "2024-05-06", "version": 3, "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "description": "The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "300688e4-365c-4486-a065-7c884462b31d", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail logs to identify `PutImage` events from the ECR service, filtering out known users. This activity is significant because container uploads should typically be performed by a limited set of authorized users. If confirmed malicious, this could indicate unauthorized access, potentially leading to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-08", "version": 2, "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "description": "The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "description": "The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as \"count,\" \"user_type,\" and \"user_arn\" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Batch Service", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "description": "The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via Bucket Replication", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "description": "The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via DataSync Task", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "description": "The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "description": "The following analytic detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such as creating, describing, and modifying snapshot attributes. This activity is significant as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userName", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-25", "version": 2, "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "description": "The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM AccessDenied Discovery Events", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "3e1f1568-9633-11eb-a69c-acde48001122", "description": "The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "description": "The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Delete Policy", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "description": "The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Failure Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "723b861a-92eb-11eb-93b8-acde48001122", "description": "The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS IAM Successful Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "e776d06c-9267-11eb-819b-acde48001122", "description": "The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Lambda UpdateFunctionCode", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "374832b1-3603-420c-b456-b373e24d34c0", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multiple Failed MFA Requests For User", "author": "Bhavin Patel", "date": "2024-05-31", "version": 2, "id": "1fece617-e614-4329-9e61-3ba228c0f353", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel", "date": "2024-05-10", "version": 2, "id": "71e1fb89-dd5f-4691-8523-575420de4630", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip | `aws_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Network Access Control List Created with All Open Ports", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Network Access Control List Deleted", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-15", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "description": "The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS New MFA Method Registered For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Password Policy Changes", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "aee4a575-7064-4e60-b511-246f9baf9895", "description": "The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as \"UpdateAccountPasswordPolicy,\" \"GetAccountPasswordPolicy,\" and \"DeleteAccountPasswordPolicy.\" This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 3, "id": "85096389-a443-42df-b89d-200efbb1b560", "description": "The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SAML Access by Provider User and Principal", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "bbe23980-6019-11eb-ae93-0242ac130002", "description": "The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, `roleArn`, and `roleSessionName`. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim"]}], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SAML Update identity provider", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 2, "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "description": "The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS SetDefaultPolicyVersion", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "description": "The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 3, "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "description": "The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"analytic_story": ["Compromised User Account", "Suspicious AWS Login Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Successful Single-Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "description": "The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 3, "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS UpdateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 4, "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "description": "The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Active Directory High Risk Sign-in", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 3, "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "description": "The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A high risk event was identified by Identify Protection for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "description": "The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the \"Add app role assignment to service principal\" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add app role assignment to service principal\" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Application Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the \"Add member to role\" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 3, "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "description": "The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "description": "The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update authorization policy\" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = \"[true]\" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "description": "The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs per user. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Device Code Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "description": "The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1528", "https://github.com/rvrsh3ll/TokenTactics", "https://embracethered.com/blog/posts/2022/device-code-phishing/", "https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html", "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Device code requested for $user$ from $src_ip$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs \"properties.authenticationProtocol\"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_device_code_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD External Guest User Invited", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "description": "The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "External Guest User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Invite external user\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Global Administrator Role Assigned", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 5, "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "description": "The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the \"Add member to role\" operation includes the \"Global Administrator\" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "Global Administrator Role assigned for User $user$ initiated by $initiatedBy$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add member to role\" properties.targetResources{}.modifiedProperties{}.newValue=\"\\\"Global Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "description": "The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to authenticate more than 20 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the \"Disable Strong Authentication\" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "description": "The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "description": "The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" (properties.authenticationRequirement=\"multiFactorAuthentication\" AND properties.status.additionalDetails=\"MFA required in Azure AD\") OR (properties.authenticationRequirement=singleFactorAuthentication AND \"properties.authenticationDetails{}.succeeded\"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "description": "The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on \"Sign-in activity\" events with error code 500121 and additional details indicating \"MFA denied; user declined the authentication.\" This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails=\"MFA denied; user declined the authentication\" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_denied_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 4, "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" properties.status.errorCode=500121 properties.status.additionalDetails!=\"MFA denied; user declined the authentication\" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "description": "The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "32880707-f512-414e-bd7f-204c0c85b758", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "description": "The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New Custom Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-14", "version": 3, "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "description": "The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful \"Add unverified domain\" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new custom domain, $domain$ , was added by $user$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add unverified domain\" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New Federated Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "description": "The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful \"Set domain authentication\" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new federated domain, $domain$ , was added by $user$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update user\" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD New MFA Method Registered For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "2628b087-4189-403f-9044-87403f777a1b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "10ec9031-015b-4617-b453-c0c1ab729007", "description": "The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_oauth_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD PIM Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "description": "The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was assiged to $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD PIM Role Assignment Activated", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 4, "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "description": "The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the \"Add member to role completed (PIM activation)\" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 3, "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "description": "The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "description": "The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Privileged Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 3, "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "description": "The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the \"Add member to role\" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 3, "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "description": "The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Victim"]}], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Service Principal Authentication", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "description": "The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting \"Sign-in activity\" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Service Principal $user$ authenticated from $src_ip$", "risk_score": 25, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal Created", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "description": "The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the \"Add service principal\" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}], "message": "Service Principal named $displayName$ created by $user$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal New Client Credentials", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-11", "version": 3, "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "description": "The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the \"Update application*Certificates and secrets management\" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "New credentials added for Service Principal by $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Service Principal Owner Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 4, "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "description": "The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add owner to application\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful Authentication From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 4, "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "description": "The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1110", "https://attack.mitre.org/techniques/T1110.001", "https://attack.mitre.org/techniques/T1110.003"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful PowerShell Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 3, "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is \"Microsoft Azure PowerShell.\" This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ using PowerShell.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Successful Single-Factor Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "a560e7f6-1711-4353-885b-40be53101fcd", "description": "The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Administrator $user$ consented an OAuth application for the tenant.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "description": "The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "description": "The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "UPDATE_KNOWN_FALSE_POSITIVES", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied consent for an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Users may deny consent for legitimate applications by mistake, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User Enabled And Password Reset", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 3, "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "description": "The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` (operationName=\"Enable account\" OR operationName=\"Reset password (by admin)\" OR operationName=\"Update user\") | transaction user startsWith=(operationName=\"Enable account\") endsWith=(operationName=\"Reset password (by admin)\") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "description": "The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the \"Update user\" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Update user\" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Automation Account Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "860902fd-2e76-46b3-b050-ba548dab576c", "description": "The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation account $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Automation Runbook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "description": "The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation Runbook $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Azure Runbook Webhook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 4, "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "description": "The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the \"Create or Update an Azure Automation webhook\" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Runbook Webhook $object$ was created by $user$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Circle CI Disable Security Job", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "description": "The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Circle CI Disable Security Step", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "description": "The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security step $mandatory_step$ in job $job_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 2, "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "description": "The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "case_sensitive_match": null, "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "description": "The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating a new instance $dest$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "author": "David Dorsey, Splunk", "date": "2024-05-10", "version": 2, "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "description": "The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "author": "David Dorsey, Splunk", "date": "2024-05-30", "version": 2, "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "description": "The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 2, "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "description": "The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 2, "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "description": "The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "User $user$ is modifying an instance $object_id$ for the first time.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "description": "The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "94994255-3acf-4213-9b3f-0494df03bb31", "description": "The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | `security_content_ctime(firstTime)` | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "description": "The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-17", "version": 2, "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "description": "The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Security Groups Modifications by User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 2, "id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "description": "The following analytic identifies unusual modifications to security groups in your cloud environment by users, focusing on actions such as modifications, deletions, or creations over 30-minute intervals. It leverages cloud infrastructure logs and calculates the standard deviation for each user, using the 3-sigma rule to detect anomalies. This activity is significant as it may indicate a compromised account or insider threat. If confirmed malicious, attackers could alter security group configurations, potentially exposing sensitive resources or disrupting services.", "references": ["https://attack.mitre.org/techniques/T1578/005/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unsual number cloud security group modifications detected by user - $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = \"security_group\" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name(\"All_Changes\")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`", "how_to_implement": "This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment.", "known_false_positives": "It is possible that legitimate user/admin may modify a number of security groups", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_security_groups_modifications_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by New User", "author": "Rico Valdez, Splunk", "date": "2024-05-28", "version": 4, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "description": "The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console for the first time", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New City", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-25", "version": 3, "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "description": "The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Country", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-16", "version": 3, "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "description": "The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Region", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-18", "version": 3, "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "description": "The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect GCP Storage access from a new IP", "author": "Shannon Davis, Splunk", "date": "2024-05-14", "version": 2, "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "description": "The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "remote_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open GCP Storage Buckets", "author": "Shannon Davis, Splunk", "date": "2024-05-17", "version": 2, "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "description": "The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open S3 buckets", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "description": "The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "description": "The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to \"AuthenticatedUsers\" or \"AllUsers.\" This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect S3 access from a new IP", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "e6f1bb1b-f441-492b-9126-902acda217da", "description": "The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "bucketName", "type": "Other", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "New S3 access from a new IP - $src_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Spike in AWS Security Hub alerts for user - $user$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "description": "The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "resourceId", "type": "Other", "role": ["Victim"]}], "message": "Blocked outbound traffic from your AWS", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in S3 Bucket deletion", "author": "Bhavin Patel, Splunk", "date": "2024-05-03", "version": 2, "id": "e733a326-59d2-446d-b8db-14a17151aa68", "description": "The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "description": "The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect gcploit framework", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "description": "The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Kubernetes cluster pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 2, "id": "19b53215-4a16-405b-8087-9e6acf619842", "description": "The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "description": "The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $actor.email$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "description": "The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple Failed MFA requests for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "description": "The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Successful Single-Factor Authentication", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "description": "The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "description": "The following analytic identifies a single source IP failing to authenticate into Google Workspace with multiple valid users, potentially indicating a Password Spraying attack. It uses Google Workspace login failure events and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gdrive suspicious file sharing", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "a7131dae-34e3-11ec-a2de-acde48001122", "description": "The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"analytic_story": ["Data Exfiltration", "Spearphishing Attachments"], "asset_type": "GDrive", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Actions Disable Security Workflow", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 2, "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "description": "The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Github Commit Changes In Master", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "description": "The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to main branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "Admin can do changes directly to master branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Github Commit In Develop", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "description": "The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to develop branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Dependabot Alert", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "05032b04-4469-4034-9df7-05f607d75cba", "description": "The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the \"create\" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GitHub Pull Request from Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "description": "The following analytic detects pull requests from unknown users on GitHub. It uses a Splunk query to identify pull requests where the user ID is not specified and cross-references these with a known users lookup table. This activity is significant because pull requests from unknown users can introduce malicious code or unauthorized changes to repositories. If confirmed malicious, this could lead to unauthorized code changes, data breaches, or other security incidents. Immediate steps include reviewing the author's name, repository, head reference, and commit message, and investigating any related artifacts and processes.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Drive Share In External Email", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "description": "The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GSuite Email Suspicious Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "6d663014-fe92-11eb-ab07-acde48001122", "description": "The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "Email Address", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "description": "The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8630aa22-042b-11ec-af39-acde48001122", "description": "The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-10", "version": 3, "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "description": "The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_domain_list", "type": "Email Address", "role": ["Victim"]}, {"name": "dest_domain", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious email from $src_domain_list$ to $dest_domain$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite suspicious calendar invite", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-21", "version": 2, "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "description": "The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "email", "type": "Email Address", "role": ["Attacker"]}], "message": "Gsuite suspicious calendar invite sent by $email$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Suspicious Shared File Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "07eed200-03f5-11ec-98fb-acde48001122", "description": "The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like \"dhl,\" \"ups,\" \"invoice,\" and \"shipment.\" This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Number of Login Failures from a single source", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "description": "The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.", "references": ["https://attack.mitre.org/techniques/T1110/001/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.", "known_false_positives": "An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual Location", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests by country. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_locations", "definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 2, "id": "096ab390-05ca-462c-884e-343acd5b9240", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user agents. This activity is significant for a SOC because Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of critical information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_agents", "definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests and user groups. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_groups", "definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_names", "definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Access Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "2f4abe6d-5991-464d-8216-f90f42999764", "description": "The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit logs for repeated failed access attempts or unusual API requests. This activity is significant for a SOC as it may indicate an attacker's preliminary reconnaissance to gather information about the system. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, posing a severe security risk.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_access_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-17", "version": 2, "id": "10442d8b-0701-4c25-911d-d67b906e713c", "description": "The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + \":\" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + \":\" + 'dest.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "description": "The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$$|-[abcdef0-9]{8,10}-\\w{5}$$\", \"\") | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + \":\" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_outbound_network_io_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO", "collection": "k8s_container_network_io_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "author": "Matthew Moore, Splunk", "date": "2024-05-26", "version": 2, "id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "description": "The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio", "collection": "k8s_container_network_io_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "description": "The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + \":\" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + \":\" + 'source.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_outbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "author": "Matthew Moore, Splunk", "date": "2024-05-24", "version": 2, "id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "description": "The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + \":\" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + \":\" + 'dest.workload.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_anomalous_traffic_on_network_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "author": "Rod Soto, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "042a3d32-8318-4763-9679-09db2644a8f2", "description": "The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.", "references": [], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` user.username=\"system:anonymous\" user.groups{} IN (\"system:unauthenticated\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Create or Update Privileged Pod", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "description": "The following analytic detects the creation or update of privileged pods in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for pod configurations that include root privileges. This behavior is significant for a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, data breaches, and service disruptions, posing a severe threat to the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes privileged pod created by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"privileged\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_create_or_update_privileged_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Cron Job Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "description": "The following analytic detects the creation of a Kubernetes cron job, which is a task scheduled to run automatically at specified intervals. It identifies this activity by monitoring Kubernetes Audit logs for the creation events of cron jobs. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes cron job creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create \"objectRef.resource\"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_cron_job_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes DaemonSet Deployed", "author": "Patrick Bareiss, Splunk", "date": "2024-05-16", "version": 2, "id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "description": "The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. This behavior is identified by monitoring Kubernetes Audit logs for the creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, making them a potential vector for persistent access. This activity is significant for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes infrastructure. If confirmed malicious, it could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "DaemonSet deployed to Kubernetes by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_daemonset_deployed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Falco Shell Spawned", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "description": "The following analytic detects instances where a shell is spawned within a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment and flags when a shell is spawned. This activity is significant for a SOC as it may indicate unauthorized access, allowing an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges. If confirmed malicious, this could lead to data breaches, service disruptions, or unauthorized access to sensitive information, severely impacting the Kubernetes infrastructure's integrity and security.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A shell is spawned in the container $container_name$ by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_container_falco` \"A shell was spawned in a container\" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter`", "how_to_implement": "The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_container_falco", "definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_falco_shell_spawned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen TCP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-15", "version": 2, "id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "description": "The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen TCP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_tcp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen UDP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "description": "The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen UDP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_udp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Nginx Ingress LFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "description": "The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Local File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "fields_list": null}]}, {"name": "Kubernetes Nginx Ingress RFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "description": "The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Remote File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Node Port Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "description": "The following analytic detects the creation of a Kubernetes NodePort service, which exposes a service to the external network. It identifies this activity by monitoring Kubernetes Audit logs for the creation of NodePort services. This behavior is significant for a SOC as it could allow an attacker to access internal services, posing a threat to the Kubernetes infrastructure's integrity and security. If confirmed malicious, this activity could lead to data breaches, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes node port creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_node_port_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod Created in Default Namespace", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "description": "The following analytic detects the creation of Kubernetes pods in the default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs to identify pod creation events within these specific namespaces. This activity is significant for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Unauthorized pod creation in these namespaces can suggest a successful cluster breach, potentially leading to privilege escalation, persistent access, or further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes Pod Created in Default Namespace by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN (\"default\", \"kube-system\", \"kube-public\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_created_in_default_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod With Host Network Attachment", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 2, "id": "cce357cf-43a4-494a-814b-67cea90fe990", "description": "The following analytic detects the creation or update of a Kubernetes pod with host network attachment. It leverages Kubernetes Audit logs to identify pods configured with host network settings. This activity is significant for a SOC as it could allow an attacker to monitor all network traffic on the node, potentially capturing sensitive information and escalating privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, and service disruptions, severely impacting the security and integrity of the Kubernetes environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes pod with host network attachment from user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"hostNetwork\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_with_host_network_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "description": "The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Container Image Name on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"True\" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"false\" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current=\"true\" AND current!=\"false\" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_container_image_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Process", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "description": "The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Process on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current=\"True\" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_previously_unseen_process_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process Running From New Path", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "description": "The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process Running From New Path on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current=\"True\" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_process_running_from_new_path_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_running_from_new_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "description": "The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Anomalous Resource Utilisation on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_anomalous_resource_utilisation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource", "collection": "k8s_process_resource_baseline", "case_sensitive_match": null, "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "author": "Matthew Moore, Splunk", "date": "2024-05-30", "version": 2, "id": "0d42b295-0f1f-4183-b75e-377975f47c65", "description": "The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Resource Ratio Anomalies on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_resource_ratio_anomalies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios", "collection": "k8s_process_resource_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen"}]}, {"name": "Kubernetes Scanner Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4890cd6b-0112-4974-a272-c5c153aee551", "description": "The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Scanner image pulled on host $host$", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "author": "Patrick Bareiss, Splunk", "date": "2024-05-10", "version": 2, "id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "description": "The following analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues. If confirmed malicious, such scanning could lead to unauthorized access, data breaches, or further exploitation of the Kubernetes infrastructure, compromising the security and integrity of the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter`", "how_to_implement": "You must ingest Kubernetes audit logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanning_by_unauthenticated_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "author": "Matthew Moore, Splunk", "date": "2024-05-11", "version": 2, "id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell with cpu activity running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Suspicious Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "description": "The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` requestObject.message=\"Pulling image*\" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_images", "definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_suspicious_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Unauthorized Access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-21", "version": 2, "id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "description": "The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Unauthorized access to Kubernetes from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_unauthorized_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Add App Role Assignment Grant User", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 3, "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the \"Add app role assignment grant to user\" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ has created a new federation setting $modified_properties_name$ on $dest$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Added Service Principal", "author": "Rod Soto, Splunk", "date": "2024-05-27", "version": 4, "id": "1668812a-6047-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "description": "The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment to service principal.\" | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = \"ServicePrincipal\" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Advanced Audit Disabled", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "description": "The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.", "references": ["https://attack.mitre.org/techniques/T1562/008/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Advanced auditing for user $object$ was disabled by $user$", "risk_score": 32, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Change user license.\" | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, \"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\" \"DisabledPlans=\\[(?P[^\\]]+)\\]\" | search DisabledPlans IN (\"*M365_ADVANCED_AUDITING*\") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_advanced_audit_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Application Registration Owner Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "c068d53f-6aaa-4558-8011-3734df878266", "description": "The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $app_displayName$ was assigned a new owner $object$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Application owners may be added for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_application_registration_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "description": "The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://www.mandiant.com/media/17656"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "target_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted the ApplicationImpersonation role to $target_user$", "risk_score": 56, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-ManagementRoleAssignment\" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_applicationimpersonation_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "12a23592-e3da-4344-8545-205d3290647c", "description": "The following analytic detects when the \"risk-based step-up consent\" security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Risk-based step-up consent security setting was disabled by $user$", "risk_score": 30, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update authorization policy.\" | eval index_number = if(mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like \"%true%\" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Bypass MFA via Trusted IP", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 4, "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "description": "The following analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. This activity is significant because adding trusted IPs can weaken the security posture by bypassing MFA, which is a critical security control. If confirmed malicious, this could lead to unauthorized access, compromising sensitive information and systems. Immediate investigation is required to validate the legitimacy of the IP addition.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/", "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Compliance Content Search Exported", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "description": "The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search export was started by $user$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=\"SearchExported\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searche exports may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_compliance_content_search_exported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Compliance Content Search Started", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "description": "The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search was started by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searches may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_compliance_content_search_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "description": "The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ips", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has logged in with the same session id from more than one unique IP address", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Disable MFA", "author": "Rod Soto, Splunk", "date": "2024-05-11", "version": 3, "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "description": "The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account.", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has executed an operation $action$ for user $user$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "2246c142-a678-45f8-8546-aaed7e0efd30", "description": "The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission", "https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Elevated mailbox permissions were assigned on $dest_user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_elevated_mailbox_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Excessive Authentication Failures Alert", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 3, "id": "d441364c-349c-453b-b55f-12eccab67cf9", "description": "The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Excessive SSO logon errors", "author": "Rod Soto, Splunk", "date": "2024-05-17", "version": 4, "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "description": "The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "6c382336-22b8-4023-9b80-1689e799f21f", "description": "The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application's legitimacy and assess potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests file-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Files.Read\", \"Files.Read.All\", \"Files.ReadWrite\", \"Files.ReadWrite.All\", \"Files.ReadWrite.AppFolder\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require file permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_file_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 High Number Of Failed Authentications for User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "31641378-2fa9-42b1-948e-25e281cb98f7", "description": "The following analytic identifies an O365 account experiencing more than 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, specifically \"UserLoginFailed\" events, to monitor and flag accounts exceeding this threshold. This activity is significant as it may indicate a brute force attack or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to authenticate more than 10 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Although unusual, users who have lost their passwords may trigger this detection. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 High Privilege Role Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "e78a1037-4548-4072-bb1b-ad99ae416426", "description": "The following analytic detects when high-privilege roles such as \"Exchange Administrator,\" \"SharePoint Administrator,\" or \"Global Administrator\" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide", "https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted high privilege roles to $ObjectId$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Add member to role.\" Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN (\"29232cdf-9323-42fd-ade2-1d097af3e4de\", \"f28a1f50-f6e7-4571-818b-6a12f2af6b6c\", \"62e90394-69f5-4237-9190-012177145e10\") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privilege roles may be assigned for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_high_privilege_role_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "fddad083-cdf5-419d-83c6-baa85e329595", "description": "The following analytic identifies instances where a user grants consent to an application requesting mail-related permissions within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to application permissions and user consent actions. This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing, if malicious applications gain access. If confirmed malicious, this could lead to unauthorized data access, email forwarding, or sending malicious emails from the compromised account. Validating the legitimacy of the application and consent context is crucial to prevent data breaches.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests mail-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Mail.Read\", \"Mail.ReadBasic\", \"Mail.ReadWrite\", \"Mail.Read.Shared\", \"Mail.ReadWrite.Shared\", \"Mail.Send\", \"Mail.Send.Shared\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mail_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "description": "The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/", "https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Email forwarding configured by $user$ on mailbox $ObjectId$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', \"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Email forwarding may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_email_forwarding_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "1435475e-2128-4417-a34f-59770733b0d5", "description": "The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946", "https://learn.microsoft.com/en-us/purview/audit-mailboxes"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_folder_read_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "cd15c0a8-470e-4b12-9517-046e4927db30", "description": "The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange (Operation=\"Set-MailboxFolderPermission\" OR Operation=\"Add-MailboxFolderPermission\" ) | eval isReadRole=if(match(AccessRights, \"^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$\"), \"true\", \"false\") | search isReadRole=\"true\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_folder_read_permission_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "21421896-a692-4594-9888-5faeb8a53106", "description": "The following analytic detects instances where the inbox folder of an Office 365 mailbox is shared with all users within the tenant. It leverages Office 365 management activity events to identify when the 'Inbox' folder permissions are modified to include 'Everyone' with read rights. This activity is significant as it represents a potential security risk, allowing unauthorized access to sensitive emails. If confirmed malicious, this could lead to data breaches, exfiltration of confidential information, and further compromise through spear-phishing or other malicious activities based on the accessed email content.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/", "https://learn.microsoft.com/en-us/purview/audit-mailboxes", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "MailboxOwnerUPN", "type": "User", "role": ["Victim"]}], "message": "Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | search isReadRole = \"true\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_inbox_folder_shared_with_all_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Mailbox Read Access Granted to Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "description": "The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://graphpermissions.merill.net/permission/Mail.Read"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $object$ was grandes mailbox read access by $user$", "risk_score": 45, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, \"^\\[\\s*\", \"\") | eval json_data=replace(json_data, \"\\s*\\]$\", \"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_mailbox_read_access_granted_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "description": "The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "description": "The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "description": "The following analytic identifies potential \"MFA fatigue\" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requestes for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "description": "The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, \"^Client=WebServices;ExchangeWebServices\"), 1, 0) | search (AppId=\"00000003-0000-0000-c000-000000000000\" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_mailboxes_accessed_via_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "description": "The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"ServicePrincipal\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"User\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "description": "The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', \"ForwardTo\") | eval match2=mvfind('Parameters{}.Name', \"ForwardAsAttachmentTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectTo\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_email_forwarding_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Enabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', \"ForwardToRecipientsAction\") | eval match2=mvfind('OperationProperties{}.Value', \"ForwardAsAttachmentToRecipientsAction\") | eval match3=mvfind('OperationProperties{}.Value', \"RedirectToRecipientsAction\") | eval index = mvfind('OperationProperties{}.Name', \"ServerRule\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted=\"*@*.*\" | eval ForwardTo=if(match(valueExtracted, \"^[^@]+@[^@]+\\\\.[^@]+$\"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_email_forwarding_rule_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Federated Domain Added", "author": "Rod Soto, Mauricio Velazco Splunk", "date": "2024-05-28", "version": 4, "id": "e155876a-6048-11eb-ae93-0242ac130002", "description": "The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation=\"Add-FederatedDomain\". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has added a new federated domain $new_value$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "description": "The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the \"New-TransportRule\" operation and parameters like \"BlindCopyTo\", \"CopyTo\", and \"RedirectMessageTo\". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new forwarding mailflow rule was created by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-TransportRule\" | eval match1=mvfind('Parameters{}.Name', \"BlindCopyTo\") | eval match2=mvfind('Parameters{}.Name', \"CopyTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectMessageTo\") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!=\"\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Forwarding mail flow rules may be created for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_forwarding_mailflow_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was added for $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update user.\" | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString=\"^Client=WebServices;ExchangeWebServices\" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_oauth_app_mailbox_access_via_ews_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization’s network.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_oauth_app_mailbox_access_via_graph_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "description": "The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 PST export alert", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "description": "The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name \"eDiscovery search started or exported.\" This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Victim"]}], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Security And Compliance Alert Triggered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 2, "id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "description": "The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide", "https://learn.microsoft.com/en-us/purview/alert-policies"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Security and Compliance triggered an alert for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_security_and_compliance_alert_triggered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Service Principal New Client Credentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a1b229e9-d962-4222-8c62-905a8a010453", "description": "The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "New credentials added for Service Principal $object$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application*Certificates and secrets management \" | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The $object$ application registration was granted tenant wide admin consent.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Consent to application.\" | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "242e4d30-cb59-4051-b0cf-58895e218f40", "description": "The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "O365 has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = \"Risky application detected\" | rex field=permissions \"Scope: (?[^,]+)\" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "2d8679ef-b075-46be-8059-c25116cb1072", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ denifed consent for an OAuth application.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_graph", "definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "author": "Bhavin Patel", "date": "2024-05-24", "version": 2, "id": "161bc0ca-4651-4c13-9c27-27770660cf67", "description": "The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Amazon Elastic Container Registry", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}], "message": "Correlation triggered for repository $risk_object$", "risk_score": 70, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Dev Sec Ops\" All_Risk.risk_object_type = \"other\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`", "how_to_implement": "Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security.", "known_false_positives": "Unknown", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "risk_rule_for_dev_sec_ops_by_repository_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS CreateAccessKey", "author": "Patrick Bareiss, Splunk", "date": "2022-05-23", "version": 1, "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2023-06-01", "version": 1, "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "user $identity.user.name$ has excessive number of api calls.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ASL AWS Password Policy Changes", "author": "Patrick Bareiss, Splunk", "date": "2023-05-22", "version": 1, "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clients Connecting to Multiple DNS Servers", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Distinct DNS Connections, **Field:** dest_count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cloud Network Access Control List Deleted", "author": "Peter Gael, Splunk", "date": "2020-09-08", "version": 1, "id": "021abc51-1862-41dd-ad43-43c739c0a983", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Correlation by Repository and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "description": "This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Correlation by User and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "description": "The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Activity Related to Pass the Hash Attacks", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2020-10-15", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect API activity from users without MFA", "author": "Bhavin Patel, Splunk", "date": "2018-05-17", "version": 1, "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** AWS User ARN, **Field:** userIdentity.arn\n* **Label:** AWS User Type, **Field:** userIdentity.type\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** First Time, **Field:** firstTime\n* **Label:** Last Time, **Field:** lastTime\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "references": [], "tags": {"analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app.\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "datamodel": ["Network_Resolution", "Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Long DNS TXT Record Response", "author": "Rico Valdez, Splunk", "date": "2020-07-21", "version": 2, "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz Using Loaded Images", "author": "Patrick Bareiss, Splunk", "date": "2019-12-03", "version": 1, "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "author": "Rico Valdez, Splunk", "date": "2019-02-27", "version": 2, "id": "98917be2-bfc8-475a-8618-a9bb06575188", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "references": [], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect new API calls from user roles", "author": "Bhavin Patel, Splunk", "date": "2018-04-16", "version": 1, "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect new user AWS Console Login", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS API Activity", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** Number of API Calls, **Field:** numberOfApiCalls\n* **Label:** Unique API Calls, **Field:** uniqueApisCalled\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "None.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 1, "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Security Group Activity", "author": "Bhavin Patel, Splunk", "date": "2018-04-18", "version": 1, "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect USB device insertion", "author": "Bhavin Patel, Splunk", "date": "2017-11-27", "version": 1, "id": "104658f4-afdc-499f-9719-17a43f9826f5", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "datamodel": ["Change", "Change_Analysis"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect web traffic to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "description": "This search looks for web connections to dynamic DNS providers.", "references": [], "tags": {"analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "datamodel": ["Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detection of DNS Tunnels", "author": "Bhavin Patel, Splunk", "date": "2022-02-15", "version": 2, "id": "104658f4-afdc-499f-9719-17a43f9826f4", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "references": [], "tags": {"analytic_story": ["Command And Control", "Data Protection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS record changed", "author": "Jose Hernandez, Splunk", "date": "2020-07-21", "version": 3, "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "references": [], "tags": {"analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\".\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via procdump Rename", "author": "Michael Haag, Splunk", "date": "2021-02-01", "version": 1, "id": "21276daa-663d-11eb-ae93-0242ac130002", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Modified With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "author": "Bhavin Patel, Splunk", "date": "2018-02-23", "version": 1, "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "author": "David Dorsey, Splunk", "date": "2018-03-12", "version": 1, "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2020-02-07", "version": 2, "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execution of File With Spaces Before Extension", "author": "Rico Valdez, Splunk", "date": "2020-11-19", "version": 3, "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "references": [], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Extended Period Without Successful Netbackup Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "First time seen command line argument", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 5, "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect accounts with high risk roles by project", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "27af8c15-38b0-4408-b339-920170724adb", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Detect high risk permissions by resource and account", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "gcp detect oauth token abuse", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Identify New User Accounts", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "references": [], "tags": {"analytic_story": [], "asset_type": "Domain Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "019690d7-420f-4da0-b320-f27b09961514", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure pod scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-19", "version": 1, "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-07-10", "version": 1, "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a46923f6-36b9-4806-a681-31f314907c30", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor DNS For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2017-09-23", "version": 1, "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "author": "Michael Haag, Mauricio Velazco, Rico Valdez, Splunk", "date": "2024-02-29", "version": 3, "id": "19cba45f-cad3-4032-8911-0c09e0444552", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS", "https://developer.okta.com/docs/reference/api/system-log/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multple user accounts have failed to authenticate from a single IP.", "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious Admin Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious Rights Delegation", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-15", "version": 2, "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access.", "references": ["https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://attack.mitre.org/techniques/T1098/002/", "https://attack.mitre.org/techniques/T1114/002/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Suspicious User Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the \"Identity\" field as \"src_user\" and searches for entries where the \"ForwardingSmtpAddress\" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Account Locked Out", "author": "Michael Haag, Splunk", "date": "2022-09-21", "version": 1, "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_user$ account has been locked out.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Account Lockout Events", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-19", "version": 2, "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following user $src_user$ has locked out their account within Okta.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Failed SSO Attempts", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-21", "version": 3, "id": "371a6545-2618-4032-ad84-93386b8698c5", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ failed SSO authentication to the app.", "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "632663b0-4562-4aad-abe9-9f621a049738", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Two or More Rejected Okta Pushes", "author": "Michael Haag, Marissa Bower, Splunk", "date": "2022-09-27", "version": 1, "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Open Redirect in Splunk Web", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Osquery pack - ColdRoot detection", "author": "Rico Valdez, Splunk", "date": "2019-01-29", "version": 1, "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes created by netsh", "author": "Bhavin Patel, Splunk", "date": "2020-11-23", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "references": [], "tags": {"analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prohibited Software On Endpoint", "author": "David Dorsey, Splunk", "date": "2019-10-11", "version": 2, "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "prohibited_softwares", "definition": "search *", "description": "This macro is deprecated. Update this macro to look for prohibited softwares in your environment"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Reg exe used to hide files directories via registry keys", "author": "Bhavin Patel, Splunk", "date": "2019-02-27", "version": 2, "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None at the moment", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Registry Key modifications", "author": "Bhavin Patel, Splunk", "date": "2020-03-02", "version": 3, "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "description": "This search monitors for remote modifications to registry keys.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled tasks used in BadRabbit ransomware", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "references": [], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No known false positives", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spectre and Meltdown Vulnerable Systems", "author": "David Dorsey, Splunk", "date": "2017-01-07", "version": 1, "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "references": [], "tags": {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "datamodel": ["Vulnerabilities"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Information Disclosure", "author": "David Dorsey, Splunk", "date": "2018-06-14", "version": 1, "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Changes to File Associations", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 4, "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email - UBA Anomaly", "author": "Bhavin Patel, Splunk", "date": "2020-07-22", "version": 3, "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "references": [], "tags": {"analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "datamodel": ["Email", "UEBA"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious File Write", "author": "Rico Valdez, Splunk", "date": "2019-04-25", "version": 3, "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "description": "The search looks for files created with names that have been linked to malicious activity.", "references": [], "tags": {"analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Powershell Command-Line Arguments", "author": "David Dorsey, Splunk", "date": "2021-01-19", "version": 6, "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "references": [], "tags": {"analytic_story": ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 Rename", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 5, "id": "7360137f-abad-473e-8189-acbdaa34d114", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to System Volume Information", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 2, "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uncommon Processes On Endpoint", "author": "David Dorsey, Splunk", "date": "2020-07-22", "version": 4, "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "references": [], "tags": {"analytic_story": ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsigned Image Loaded by LSASS", "author": "Patrick Bareiss, Splunk", "date": "2019-12-06", "version": 1, "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsuccessful Netbackup backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "description": "This search gives you the hosts where a backup was attempted and then failed.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Account Harvesting", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "description": "This search is used to identify user accounts that share a common password.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows connhost exe started forcefully", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 3, "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows hosts file modification", "author": "Rico Valdez, Splunk", "date": "2018-11-02", "version": 1, "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "references": [], "tags": {"analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "3CX Supply Chain Attack Network Indicators", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "description": "The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "datamodel": ["Network_Resolution"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "7zip CommandLine To SMB Share Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "01d29b48-ff6f-11eb-b81e-acde48001123", "description": "The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access LSASS Memory for Dump Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 3, "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "description": "The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Account Discovery With Net App", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "date": "2024-05-22", "version": 5, "id": "339805ce-ac30-11eb-b87d-acde48001122", "description": "The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"analytic_story": ["IcedID", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or power user may used this series of command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Directory Lateral Movement Identified", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "description": "The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to lateral movement has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Directory Privilege Escalation Identified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "description": "The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Active Setup Registry Autostart", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "f64579c0-203f-11ec-abcc-acde48001122", "description": "The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"StubPath\" value within the \"SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Add DefaultUser And Password In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "description": "The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Add or Set Windows Defender Exclusion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "773b66fe-4dd9-11ec-8289-acde48001122", "description": "The following analytic detects the use of commands to add or set exclusions in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"Add-MpPreference\" or \"Set-MpPreference\" with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected. If confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AdsiSearcher Account Discovery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "de7fcadc-04f3-11ec-a241-acde48001122", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"AdsiSearcher\" used for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow File And Printing Sharing In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 4, "id": "ce27646e-d411-11eb-8a00-acde48001122", "description": "The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "0a46537c-be02-11eb-92ca-acde48001122", "description": "The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5d85486-b89c-11eb-8267-acde48001122", "description": "The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like \"firewall,\" \"Inbound,\" \"Allow,\" and \"-LocalPort.\" This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall modification detected on endpoint $dest$ by user $user$.", "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*firewall*\" ScriptBlockText = \"*Inbound*\" ScriptBlockText = \"*Allow*\" ScriptBlockText = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Network Discovery In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "description": "The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious modification to the firewall to allow network discovery detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Allow Operation with Consent Admin", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "description": "The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Anomalous usage of 7zip", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "description": "The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Any Powershell DownloadFile", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Any Powershell DownloadString", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 4, "id": "4d015ef2-7adf-11eb-95da-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadString` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because `DownloadString` is commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Attacker Tools On Endpoint", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "description": "The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.", "references": [], "tags": {"analytic_story": ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempt To Add Certificate To Untrusted Store", "author": "Patrick Bareiss, Rico Valdez, Splunk", "date": "2024-05-12", "version": 8, "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "description": "The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Attempt To Stop Security Service", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 5, "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "description": "The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the \"sc.exe\" command with the \"stop\" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 8, "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "description": "The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Auto Admin Logon Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"AutoAdminLogon\" value within the \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Batch File Write to System32", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "date": "2024-05-19", "version": 5, "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "description": "The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BCDEdit Failure Recovery Modification", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "809b31d2-5462-11eb-ae93-0242ac130002", "description": "The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as \"recoveryenabled\" and \"no\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"analytic_story": ["Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BITS Job Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "BITSAdmin Download File", "author": "Michael Haag, Sittikorn S", "date": "2024-05-20", "version": 4, "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "415b4306-8bfb-11eb-85c4-acde48001122", "description": "The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-split` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate services, and its use to download files from remote locations is uncommon and potentially malicious. If confirmed, this behavior could indicate an attempt to download and execute malicious payloads, leading to potential system compromise and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "description": "The following analytic detects the use of `certutil.exe` to download files using the `-VerifyCtl` and `-split` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Certutil exe certificate extraction", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "337a46be-600f-11eb-ae93-0242ac130002", "description": "The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CertUtil With Decode Argument", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "description": "The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Change Default File Association", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "462d17d8-1f71-11ec-ad07-acde48001122", "description": "The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under \"*\\\\shell\\\\open\\\\command\\\\*\" and \"*HKCR\\\\*\". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Change To Safe Mode With Network Config", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CHCP Command Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "21d236ec-eec1-11eb-b23e-acde48001122", "description": "The following analytic detects the execution of the chcp.exe application, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where chcp.exe is executed by cmd.exe with specific command-line arguments. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"analytic_story": ["Azorult", "Forest Blizzard", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Check Elevated CMD using whoami", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "a9079b18-1633-11ec-859c-acde48001122", "description": "The following analytic identifies the execution of the 'whoami' command with specific parameters to check for elevated privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.", "references": [], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Child Processes of Spoolsv exe", "author": "Rico Valdez, Splunk", "date": "2024-05-15", "version": 4, "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "description": "The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clear Unallocated Sector Using Cipher App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "description": "The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may execute this app to manage disk", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clop Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 3, "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "description": "The following analytic identifies the execution of CLOP ransomware variants using specific arguments (\"runrun\" or \"temp.dat\") to trigger their malicious activities. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it indicates potential ransomware behavior, which can lead to file encryption on network shares or local machines. If confirmed malicious, this activity could result in significant data loss and operational disruption due to encrypted files, highlighting the need for immediate investigation and response.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Operators can execute third party tools using these parameters.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clop Ransomware Known Service Name", "author": "Teoderick Contreras", "date": "2024-05-21", "version": 3, "id": "07e08a12-870c-11eb-b5f9-acde48001122", "description": "The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names (\"SecurityCenterIBM\", \"WinCheckDRVs\"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of a known Clop Ransomware Service Name detected on $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMD Carry Out String Command Parameter", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 5, "id": "54a6ed00-3256-11ec-b031-acde48001122", "description": "The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMD Echo Pipe - Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "description": "The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "description": "The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-05", "version": 2, "id": "f87b5062-b405-11eb-a889-acde48001122", "description": "The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"analytic_story": ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cobalt Strike Named Pipes", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "5876d429-0240-4709-8b93-ea8330b411b5", "description": "The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable C2 Profiles. This activity is significant because Cobalt Strike is a popular tool for adversaries to conduct post-exploitation tasks, and identifying its named pipes can reveal potential malicious activity. If confirmed malicious, this could indicate an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Common Ransomware Extensions", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "date": "2024-05-26", "version": 6, "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "description": "The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Common Ransomware Notes", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 5, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "description": "The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.", "references": [], "tags": {"analytic_story": ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") Filesystem.file_name IN (\"*.aspx\",\"*.ashx\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`", "how_to_implement": "This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "connectwise_screenconnect_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4663 ProcessName=*\\\\ScreenConnect.Service.exe file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") file_name IN (\"*.aspx\",\"*.ashx\") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`", "how_to_implement": "To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing.", "known_false_positives": "False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "connectwise_screenconnect_path_traversal_windows_sacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Conti Common Exec parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "624919bc-c382-11eb-adcc-acde48001122", "description": "The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Control Loading from World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "description": "The following analytic identifies instances of control.exe loading a .cpl or .inf file from a writable directory, which is related to CVE-2021-40444. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate an attempt to exploit a known vulnerability, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the affected system, leading to further compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create local admin accounts using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 10, "id": "b89919ed-fe5f-492c-b139-151bb162040e", "description": "The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the \"/add\" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create or delete windows shares using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 7, "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "description": "The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create Remote Thread In Shell Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "10399c1e-f51e-11eb-b920-acde48001122", "description": "The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Create Remote Thread into LSASS", "author": "Patrick Bareiss, Splunk", "date": "2024-05-26", "version": 2, "id": "67d4dbef-9564-4699-8da8-03a151529edc", "description": "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon Event ID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of lsass Dump with Taskmgr", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "description": "The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "description": "The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 4, "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "description": "The following analytic detects the creation of shadow copies using \"wmic\" or \"Powershell\" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes \"shadowcopy\" and \"create\". This activity is significant because it may indicate an attacker attempting to manipulate or access data unauthorizedly, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 3, "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "description": "The following analytic detects the use of the copy command to dump credentials from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify processes with command lines referencing critical files like \"sam\", \"security\", \"system\", and \"ntds.dit\" in system directories. This activity is significant as it indicates an attempt to extract credentials, a common technique for unauthorized access and privilege escalation. If confirmed malicious, this could lead to attackers gaining sensitive login information, escalating privileges, moving laterally within the network, or accessing sensitive data.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 3, "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "description": "The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing \"mklink\" and \"HarddiskVolumeShadowCopy\". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "CSC Net On The Fly Compilation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ea73128a-43ab-11ec-9753-acde48001122", "description": "The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Curl Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "900bc324-59f3-11ec-9fb4-acde48001122", "description": "The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant as it is commonly associated with malicious actions such as coinminers and exploitation of vulnerabilities like CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could lead to unauthorized code execution, system compromise, and further exploitation within the environment.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Delete ShadowCopy With PowerShell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "description": "The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like \"ShadowCopy,\" \"Delete,\" or \"Remove\" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"analytic_story": ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Deleting Of Net Users", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "description": "The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Deleting Shadow Copies", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 5, "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "description": "The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AzureHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "26f02e96-c300-11eb-b611-acde48001122", "description": "The following analytic detects the execution of the `Invoke-AzureHound` command-line argument, commonly used by the AzureHound tool. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because AzureHound is often used for reconnaissance in Azure environments, potentially exposing sensitive information. If confirmed malicious, this activity could allow an attacker to map out Azure Active Directory structures, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AzureHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "1c34549e-c31b-11eb-996b-acde48001122", "description": "The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2024-05-15", "version": 2, "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "description": "The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the \"sudoedit -s \\\\\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the \"-s\" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "description": "The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both \"sudoedit\" and \"segfault\" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "author": "Shannon Davis, Splunk", "date": "2024-05-13", "version": 2, "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "description": "The following analytic detects the execution of the \"sudoedit -s *\" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certify Command Line Arguments", "author": "Steven Dick", "date": "2024-05-25", "version": 2, "id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "description": "The following analytic detects the use of Certify or Certipy tools to enumerate Active Directory Certificate Services (AD CS) environments. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with these tools. This activity is significant because it indicates potential reconnaissance or exploitation attempts targeting AD CS, which could lead to unauthorized access or privilege escalation. If confirmed malicious, attackers could gain insights into the AD CS infrastructure, potentially compromising sensitive certificates and escalating their privileges within the network.", "references": ["https://github.com/GhostPack/Certify", "https://github.com/ly4k/Certipy", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Certify/Certipy arguments detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_certify_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "f533ca6c-9440-4686-80cb-7f294c07812a", "description": "The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.", "references": ["https://github.com/GhostPack/Certify", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Malicious PowerShell", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Certify arguments through PowerShell detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell..", "known_false_positives": "Unknown, partial script block matches.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_certify_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Certipy File Modifications", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "description": "The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.", "references": ["https://github.com/ly4k/Certipy"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious files $file_name$ related to Certipy detected on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action=\"allowed\" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*_certipy.zip\", \"*_certipy.txt\", \"*_certipy.json\", \"*.ccache\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_certipy_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Computer Changed with Anonymous Account", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-18", "version": 2, "id": "1400624a-d42d-484d-8843-e6753e6e3645", "description": "The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to \"ANONYMOUS LOGON\" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "9251299c-ea5b-11eb-a8de-acde48001122", "description": "The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND ScriptBlockText IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Credential Dumping through LSASS access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 4, "id": "2c365e57-4414-4540-8dc0-73ab10729996", "description": "The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.", "references": [], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "message": "The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "description": "The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Excessive Account Lockouts From Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 9, "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "description": "The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\n**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\nPlaybook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`)", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Excessive User Account Lockouts", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "description": "The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive user account lockouts for $user$ in a short period of time", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Exchange Web Shell", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "date": "2024-05-21", "version": 6, "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "description": "The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Renamed", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 5, "id": "62fed254-513b-460e-953d-79771493a9f3", "description": "The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Spawn Child Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "description": "The following analytic detects the execution of hh.exe (HTML Help) spawning a child process, indicating the use of a Compiled HTML Help (CHM) file to execute Windows script code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where hh.exe is the parent process. This activity is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "description": "The following analytic detects the execution of hh.exe (HTML Help) loading a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing URLs. This activity is significant as it can indicate an attempt to execute malicious scripts via CHM files, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to run scripts using engines like JScript or VBScript, leading to further system compromise or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "description": "The following analytic detects the execution of hh.exe (HTML Help) using InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it can be used to execute malicious scripts embedded within CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "8148c29c-c952-11eb-9255-acde48001122", "description": "The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect mshta inline hta execution", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2024-05-21", "version": 7, "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"mshta.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect mshta renamed", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect MSHTA Url in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect New Local Admin account", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 4, "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "description": "The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.", "references": [], "tags": {"analytic_story": ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outlook exe writing a zip file", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 5, "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "description": "The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.", "references": [], "tags": {"analytic_story": ["Amadey", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Path Interception By Creation Of program exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 6, "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "description": "The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint.", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect processes used for System Network Configuration Discovery", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 3, "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "description": "The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.", "references": [], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}, {"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 7, "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "description": "The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "prohibited_apps_launching_cmd_macro", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect PsExec With accepteula Flag", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 5, "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "description": "The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network.", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rare Executables", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 5, "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "description": "The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.", "references": [], "tags": {"analytic_story": ["Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A rare process - [$process_name$] has been detected on less than 10 hosts in your environment.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RClone Command-Line Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "description": "The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "description": "The following analytic detects regasm.exe spawning a child process. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where regasm.exe is the parent process. This activity is significant because regasm.exe spawning a process is rare and can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN (\"conhost.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "description": "The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regasm with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "description": "The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "description": "The following analytic identifies regsvcs.exe spawning a child process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is regsvcs.exe. This activity is significant because regsvcs.exe rarely spawns child processes, and such behavior can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated suspicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "description": "The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon Event ID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "description": "The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Regsvr32 Application Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "070e9b80-6252-11eb-ae93-0242ac130002", "description": "The following analytic identifies the abuse of Regsvr32.exe to proxy execution of malicious code, specifically detecting the loading of \"scrobj.dll\" by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line executions. This activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, often used in \"Squiblydoo\" attacks to bypass application control mechanisms. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage File", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "description": "The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file for known a remote access software [$file_name$] was created on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage FileInfo", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "description": "The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A file attributes for known a remote access software [$process_name$] was detected on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`", "how_to_implement": "This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_remote_access_software_usage_fileinfo_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Process", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process for a known remote access software $process_name$ was identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Renamed 7-Zip", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "4057291a-b8cf-11eb-95fe-acde48001122", "description": "The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed PSExec", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "683e6196-b8e8-11eb-9a79-acde48001122", "description": "The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed RClone", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "6dca1124-b3ec-11eb-9328-acde48001122", "description": "The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Renamed WinRAR", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "description": "The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["CISA AA22-277A", "Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RTLO In File Name", "author": "Steven Dick", "date": "2024-05-24", "version": 3, "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "description": "The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect RTLO In Process", "author": "Steven Dick", "date": "2024-05-29", "version": 3, "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "description": "The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "description": "The following analytic detects the execution of rundll32.exe loading advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "description": "The following analytic detects the execution of rundll32.exe loading setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events and command-line arguments. This activity is significant as it indicates a potential application control bypass, allowing an attacker to execute arbitrary script code. If confirmed malicious, this technique could enable code execution, privilege escalation, or persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "description": "The following analytic detects the execution of rundll32.exe loading syssetup.dll via the LaunchINFSection function. This method is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate the script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Rundll32 Inline HTA Execution", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"rundll32.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "description": "The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible SharpHound command-Line arguments identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 4, "id": "42b4b438-beed-11eb-ba1d-acde48001122", "description": "The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential SharpHound file modifications identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SharpHound Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 4, "id": "dd04b29a-beed-11eb-87bc-acde48001122", "description": "The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential SharpHound binary identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-27", "version": 2, "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "description": "The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 6, "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "description": "The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1059/", "https://redcanary.com/threat-detection-report/techniques/windows-command-shell/"], "tags": {"analytic_story": ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "cmd.exe launching script interpreters $process_name$ on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Webshell Exploit Behavior", "author": "Steven Dick", "date": "2024-05-20", "version": 3, "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "description": "The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a webshell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect WMI Event Subscription Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "description": "The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible malicious WMI Subscription created on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detection of tools built by NirSoft", "author": "Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "description": "The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as \"/stext\" and \"/scomma\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable AMSI Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "9c27ec42-d338-11eb-9044-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the \"AmsiEnable\" value to \"0x00000000\". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable AMSI Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender AntiVirus Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "aa4f695a-3024-11ec-9987-acde48001122", "description": "The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 5, "id": "2dd719ac-3021-11ec-97b4-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Enhanced Notification", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "dc65678c-301f-11ec-8e30-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may choose to disable windows defender AV", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender MpEngine Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 5, "id": "cc391750-3024-11ec-955a-acde48001122", "description": "The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Spynet Reporting", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 5, "id": "898debf4-3021-11ec-ba7c-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Defender Submit Samples Consent Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 5, "id": "73922ff8-3022-11ec-bf5e-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable ETW Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "description": "The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" with a value set to \"0x00000000\". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable ETW Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Logs Using WevtUtil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "description": "The following analytic detects the execution of \"wevtutil.exe\" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "WevtUtil.exe used to disable Event Logging on $dest", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Registry Tool", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 6, "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "description": "The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Registry Tools on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "db596056-3019-11ec-a9ff-acde48001122", "description": "The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable problematic schedule task", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Security Logs Using MiniNt Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Show Hidden Files", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 6, "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Show Hidden Files' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable UAC Remote Restriction", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "9928b732-210e-11ec-b65e-acde48001122", "description": "The following analytic detects the modification of the registry to disable UAC remote restriction by setting the \"LocalAccountTokenFilterPolicy\" value to \"0x00000001\". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\CurrentVersion\\\\Policies\\\\System*\". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"analytic_story": ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows App Hotkeys", "author": "Steven Dick, Teoderick Contreras, Splunkk", "date": "2024-05-11", "version": 5, "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Windows App Hotkeys' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows Behavior Monitoring", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "79439cae-9200-11eb-a4d3-acde48001122", "description": "The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender real time behavior monitoring disabled on $dest", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disable Windows SmartScreen Protection", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 6, "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\", \"*\\\\Microsoft\\\\Windows\\\\System\\\\EnableSmartScreen\") Registry.registry_value_data IN (\"Off\", \"0\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "114c6bfe-9406-11ec-bcce-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling CMD Application", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 6, "id": "ff86077c-9212-11eb-a1e6-acde48001122", "description": "The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling ControlPanel", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "6ae0148e-9215-11eb-a94a-acde48001122", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Defender Services", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 5, "id": "911eacdc-317f-11ec-ad30-acde48001122", "description": "The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "RedLine Stealer", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Firewall with Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 4, "id": "6860a62c-9203-11eb-9e05-acde48001122", "description": "The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like \"firewall,\" \"off,\" or \"disable.\" This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling FolderOptions Windows Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 6, "id": "83776de4-921a-11eb-868a-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Net User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "c0325326-acd6-11eb-98c2-acde48001122", "description": "The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling NoRun Windows App", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 6, "id": "de81bc46-9213-11eb-adc9-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Remote User Account Control", "author": "David Dorsey, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 5, "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "description": "The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.", "references": [], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling SystemRestore In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "description": "The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Task Manager", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 6, "id": "dac279bc-9202-11eb-b7fb-acde48001122", "description": "The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "author": "Dean Luxton", "date": "2024-05-19", "version": 3, "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "description": "The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DLLHost with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 5, "id": "f1c07594-a141-11eb-8407-acde48001122", "description": "The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Exfiltration Using Nslookup App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "2452e632-9e0d-11eb-bacd-acde48001122", "description": "The following analytic identifies potential DNS exfiltration using the nslookup application. It detects specific command-line parameters such as query type (TXT, A, AAAA) and retry options, which are commonly used by attackers to exfiltrate data. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. This activity is significant as it may indicate an attempt to communicate with a Command and Control (C2) server or exfiltrate sensitive data. If confirmed malicious, this could lead to data breaches and unauthorized access to critical information.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin nslookup usage", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery with Dsquery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery With Net App", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "98f6a534-04c2-11ec-96b2-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Account Discovery with Wmic", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "383572e0-04c5-11ec-bdcc-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Controller Discovery with Nltest", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "description": "The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Controller Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` (ScriptBlockText = \"*[adsisearcher]*\" AND ScriptBlockText = \"*(objectcategory=group)*\" AND ScriptBlockText = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "description": "The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Domain Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Download Files Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "58194e28-ae5e-11eb-8912-acde48001122", "description": "The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Phemedrone Stealer", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious files were downloaded with the Telegram application on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Drop IcedID License dat", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "description": "The following analytic detects the dropping of a suspicious file named \"license.dat\" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process $process_name$ created a file $TargetFilename$ on host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DSQuery Domain Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "cc316032-924a-11eb-91a2-acde48001122", "description": "The following analytic detects the execution of \"dsquery.exe\" with arguments targeting `TrustedDomain` queries directly from the command line. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments. This activity is significant as it often indicates domain trust discovery, a common step in lateral movement or privilege escalation by adversaries. If confirmed malicious, this could allow attackers to map domain trusts, potentially leading to further exploitation and unauthorized access to trusted domains.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via comsvcs DLL", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "description": "The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Dump LSASS via procdump", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk. If confirmed malicious, an attacker could obtain credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and further compromise of the environment.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query elevated domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery with PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-06-10", "version": 3, "id": "10d62950-0de5-4199-a710-cff9ea79b413", "description": "The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroupMember*\") AND ScriptBlockText IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Elevated Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments querying specific elevated domain groups. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes that access the LDAP namespace and search for groups like \"Domain Admins\" or \"Enterprise Admins.\" This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privilege accounts within Active Directory. If confirmed malicious, this behavior could lead to privilege escalation, allowing attackers to gain elevated access and control over critical network resources.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enable RDP In Other Port Number", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "99495452-b899-11eb-96dc-acde48001122", "description": "The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" and the \"PortNumber\" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enable WDigest UseLogonCredential Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 5, "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wdigest registry $registry_path$ was modified in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Enumerate Users Local Group Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "description": "The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Telegram application has been identified enumerating local groups on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4798 CallerProcessName = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Esentutl SAM Copy", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d372f928-ce4f-11eb-a762-acde48001122", "description": "The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ETW Registry Disabled", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "8ed523ac-276b-11ec-ac39-acde48001122", "description": "The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Eventvwr UAC Bypass", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "description": "The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some false positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excel Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "42d40a22-9be3-11eb-8f08-acde48001122", "description": "The following analytic detects Microsoft Excel spawning PowerShell, an uncommon and suspicious behavior. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is \"excel.exe\" and the child process is PowerShell. This activity is significant because it is often associated with spearphishing attacks, where malicious attachments execute encoded PowerShell commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, privilege escalation, or persistent access within the environment.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excel Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "description": "The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is `excel.exe`. This activity is significant because it is uncommon and often associated with malicious actions, such as spearphishing attacks. If confirmed malicious, this could allow an attacker to execute scripts, potentially leading to code execution, data exfiltration, or further system compromise. Immediate investigation and mitigation are recommended.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Attempt To Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 2, "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "description": "The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where \"sc.exe\" is used with parameters like \"config\" or \"Disabled\" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive distinct processes from Windows Temp", "author": "Michael Hart, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "23587b6a-c479-11eb-b671-acde48001122", "description": "The following analytic identifies an excessive number of distinct processes executing from the Windows\\Temp directory. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and counts within a 20-minute window. This behavior is significant as it often indicates the presence of post-exploit frameworks like Koadic and Meterpreter, which use this technique to execute malicious actions. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive File Deletion In WinDefender Folder", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-12", "version": 3, "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "description": "The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*\" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive number of service control start as disabled", "author": "Michael Hart, Splunk", "date": "2024-05-19", "version": 2, "id": "77592bec-d5cc-11eb-9e60-acde48001122", "description": "The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive number of taskhost processes", "author": "Michael Hart", "date": "2024-05-20", "version": 4, "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "description": "The following analytic identifies an excessive number of taskhost.exe and taskhostex.exe processes running within a short time frame. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and their counts. This behavior is significant as it is commonly associated with post-exploitation tools like Meterpreter and Koadic, which use multiple instances of these processes for actions such as discovery and lateral movement. If confirmed malicious, this activity could indicate an ongoing attack, allowing attackers to execute code, escalate privileges, or move laterally within the network.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Service Stop Attempt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "description": "The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Cacls App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "0bdf6092-af17-11eb-939a-acde48001122", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Net App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "45e52536-ae42-11eb-b5c6-acde48001122", "description": "The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage of NSLOOKUP App", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-15", "version": 3, "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "description": "The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of SC Service Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "description": "The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Azorult", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive Usage Of SC Service Utility", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive Usage Of Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "fe5bca48-accb-11eb-a67c-acde48001122", "description": "The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exchange PowerShell Abuse via SSRF", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "29228ab4-0762-11ec-94aa-acde48001122", "description": "The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exchange PowerShell Module Usage", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 6, "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "description": "The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Executable File Written in Administrative SMB Share", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 4, "id": "f63c34fe-a435-11eb-935a-acde48001122", "description": "The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.exe\",\"*.dll\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Executables Or Script Creation In Suspicious Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "description": "The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public\\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execute Javascript With Jscript COM CLSID", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "dc64d064-d346-11eb-8588-acde48001122", "description": "The following analytic detects the execution of JavaScript using the JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as it is a known technique used by ransomware, such as Reddot, to execute malicious scripts and potentially disable AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Execution of File with Multiple Extensions", "author": "Rico Valdez, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "description": "The following analytic detects the execution of files with multiple extensions, such as \".doc.exe\" or \".pdf.exe\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process", "Attacker"]}], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Extraction of Registry Hives", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "description": "The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "File with Samsam Extension", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 2, "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "description": "The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Firewall Allowed Program Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "description": "The following analytic detects the modification of a firewall rule to allow the execution of a specific application. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events with command-line arguments related to firewall rule changes. This activity is significant as it may indicate an attempt to bypass firewall restrictions, potentially allowing unauthorized applications to communicate over the network. If confirmed malicious, this could enable an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the target environment.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "First Time Seen Child Process of Zoom", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "description": "The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "case_sensitive_match": null, "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}]}, {"name": "First Time Seen Running Windows Service", "author": "David Dorsey, Splunk", "date": "2024-05-21", "version": 5, "id": "823136f2-d755-4b6d-ae04-372b486a5808", "description": "The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "case_sensitive_match": null, "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}]}, {"name": "FodHelper UAC Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "description": "The following analytic detects the execution of fodhelper.exe, which is known to exploit a User Account Control (UAC) bypass by leveraging specific registry keys. The detection method uses Endpoint Detection and Response (EDR) telemetry to identify when fodhelper.exe spawns a child process and accesses the registry keys. This activity is significant because it indicates a potential privilege escalation attempt by an attacker. If confirmed malicious, the attacker could execute commands with elevated privileges, leading to unauthorized system changes and potential full system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"analytic_story": ["IcedID", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious registy keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Fsutil Zeroing File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "description": "The following analytic detects the execution of the 'fsutil' command with the 'setzerodata' parameter, which zeros out a target file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is a technique used by ransomware, such as LockBit, to evade detection by erasing its malware path after encrypting the host. If confirmed malicious, this action could hinder forensic investigations and allow attackers to cover their tracks, complicating incident response efforts.", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible file data deletion on $dest$ using $process$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "description": "The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"Get-ADDefaultDomainPasswordPolicy\" to query domain password policy on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "21432e40-04f4-11ec-b7e6-acde48001122", "description": "The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"get-aduser\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password policy in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential enumeration of domain policies, a common tactic for situational awareness and Active Directory discovery by adversaries. If confirmed malicious, this could allow attackers to understand password policies, aiding in further attacks such as password spraying or brute force attempts.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "737e1eb0-065a-11ec-921a-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline to query domain user password policy detected on host - $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "b8f9947e-065a-11ec-aafb-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this could lead to unauthorized access to sensitive domain configurations, aiding in privilege escalation and lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainPolicy with Powershell Script Block", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "4fa7f846-054a-11ec-a836-acde48001122", "description": "The following analytic identifies the execution of the Get-DomainTrust command from PowerView using PowerShell, which is used to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential reconnaissance efforts by an adversary to understand domain trust relationships, which can inform lateral movement strategies. If confirmed malicious, this could allow attackers to map out the network, identify potential targets, and plan further attacks, potentially compromising additional systems within the domain.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "89275e7e-0548-11ec-bf75-acde48001122", "description": "The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-DomainUser` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams using PowerView for Active Directory discovery. If confirmed malicious, this could allow attackers to gain situational awareness and identify valuable targets within the domain, potentially leading to further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get DomainUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "61994268-04f4-11ec-865c-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"*Get-DomainUser*\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command via PowerShell, commonly used by adversaries to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying this activity is crucial as it indicates potential reconnaissance efforts to map out domain trusts, which can inform further attacks. If confirmed malicious, this activity could allow attackers to understand domain relationships, aiding in lateral movement and privilege escalation within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get WMIObject Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "5434f670-155d-11ec-8cca-acde48001122", "description": "The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "69df7f7c-155d-11ec-a055-acde48001122", "description": "The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery enumeration on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 4, "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "description": "The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetAdGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "description": "The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetCurrent User with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetCurrent User with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "80879283-c30f-44f7-8471-d1381f6d437a", "description": "The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize `Get-DomainComputer` to discover remote systems. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to map out the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "f64da023-b988-4775-8d57-38e512beb56e", "description": "The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainController with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery using PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainController with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "676b600a-a94d-4951-b346-11329431e6c1", "description": "The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that query for domain groups using `Get-DomainGroup`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to gain insights into domain group structures, aiding in further exploitation and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery with PowerView on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetDomainGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "description": "The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetLocalUser with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "85fae8fa-0427-11ec-8b78-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetLocalUser with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "description": "The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "description": "The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "091712ff-b02a-4d43-82ed-34765515d95d", "description": "The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote systems, specifically targeting the `DS_Computer` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain computers and gather situational awareness within Active Directory. If confirmed malicious, this behavior could allow attackers to map the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "df275a44-4527-443b-b884-7600e066e3eb", "description": "The following analytic identifies the execution of `powershell.exe` with command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet and the `-class ds_group` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this could allow attackers to gain insights into the domain structure, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_group_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "22d3b118-04df-11ec-8fa3-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to query domain users via the `Get-WmiObject` cmdlet and `-class ds_user` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 4, "id": "fabd364e-04f3-11ec-b34b-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline for user enumeration detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "640b0eda-0429-11ec-accd-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "2c853856-a140-11eb-a5b5-acde48001122", "description": "The following analytic detects the execution of gpupdate.exe without command line arguments and with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them, especially with network activity, is often associated with malicious software like Cobalt Strike. If confirmed malicious, this activity could indicate an attacker leveraging gpupdate.exe for lateral movement, command and control, or other nefarious purposes, potentially leading to system compromise.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "C2", "type": "IP Address", "role": ["Attacker"]}], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Headless Browser Mockbin or Mocky Request", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "description": "The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the \"--headless\" and \"--disable-gpu\" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications.", "references": ["https://mockbin.org/", "https://www.mocky.io/"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\" AND (Processes.process=\"*mockbin.org/*\" OR Processes.process=\"*mocky.io/*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "headless_browser_mockbin_or_mocky_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Headless Browser Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "description": "The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the \"--headless\" and \"--disable-gpu\" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.", "references": ["https://cert.gov.ua/article/5702579"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Behavior related to headless browser usage detected on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "headless_browser_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hide User Account From Sign-In Screen", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 5, "id": "834ba832-ad89-11eb-937d-acde48001122", "description": "The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" with a value of \"0x00000000\". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hiding Files And Directories With Attrib exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 6, "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "description": "The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the \"+h\" flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.", "references": [], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`hiding_files_and_directories_with_attrib_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Frequency Copy Of Files In Network Share", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "40925f12-4709-11ec-bb43-acde48001122", "description": "The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "High frequency copy of document into a network share from $src_ip$ by $src_user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "This behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Process Termination Frequency", "author": "Teoderick Contreras", "date": "2024-05-12", "version": 3, "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "description": "The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hunting 3CXDesktopApp Software", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "description": "The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance $process_name$ was identified on endpoint $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Icacls Deny Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "description": "The following analytic detects instances where an adversary modifies security permissions of a file or directory using commands like \"icacls.exe\", \"cacls.exe\", or \"xcacls.exe\" with deny options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and impede access to critical files. If confirmed malicious, this could allow attackers to maintain persistence and hinder incident response efforts.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Sandworm Tools", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/deny*\", \"*/D*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ICACLS Grant Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "description": "The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/grant*\", \"*/G*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "IcedID Exfiltrated Archived File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "0db4da70-f14b-11eb-8043-acde48001122", "description": "The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $TargetFilename$ on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 4, "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "description": "The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, and `atexec.py`, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "description": "The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "description": "The following analytic detects the use of Impacket's `wmiexec.py` tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 5, "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "description": "The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An interactive session was opened on a remote endpoint from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Java Class File download by Java User Agent", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "8281ce42-5c50-11ec-82d2-acde48001122", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from a remote site. It leverages web or proxy logs within the Web Datamodel to detect this activity. This behavior is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, potentially leading to remote code execution and further compromise of the affected system.", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Java Writing JSP File", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "eb65619c-4f8d-4383-a975-d352765d344b", "description": "The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Jscript Execution Using Cscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "002f1e24-146e-11ec-a470-acde48001122", "description": "The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant because JScript files are typically executed by wscript.exe, making cscript.exe execution unusual and potentially indicative of malicious activity, such as the FIN7 group's tactics. If confirmed malicious, this activity could allow attackers to execute arbitrary scripts, leading to code execution, data exfiltration, or further system compromise.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberoasting spn request with RC4 encryption", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 6, "id": "5cc67381-44fa-4111-8a37-7a230943f027", "description": "The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4769 ServiceName!=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0cb847ee-9423-11ec-b2df-acde48001122", "description": "The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User Name", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled for $user$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "59b51620-94c9-11ec-b3d5-acde48001122", "description": "The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "7d90f334-a482-11ec-908c-acde48001122", "description": "The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "18916468-9c04-11ec-bdc6-acde48001122", "description": "The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kerberos User Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "description": "The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential Kerberos based user enumeration attack $src_ip$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!=\"*$\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Known Services Killed by Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "description": "The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "param1", "type": "Other", "role": ["Other"]}], "message": "Known services $param1$ terminated by a potential ransomware on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7036 param1 IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") param2=\"stopped\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "description": "The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within \"/etc/ssh/*\" or \"~/.ssh/*\" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Add Files In Known Crontab Directories", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "023f3452-5f27-11ec-bf00-acde48001122", "description": "The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Add User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "description": "The following analytic detects the creation of new user accounts on Linux systems using commands like \"useradd\" or \"adduser.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create user account on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Adding Crontab Using List Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "description": "The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Gomir", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab list command $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux apt-get Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "description": "The following analytic detects the execution of the 'apt-get' command with elevated privileges using 'sudo' on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a user may be attempting to escalate privileges to root, which could lead to unauthorized system control. If confirmed malicious, an attacker could gain root access, allowing them to execute arbitrary commands, install or remove software, and potentially compromise the entire system.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux APT Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "description": "The following analytic detects the use of the Advanced Package Tool (APT) with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux At Allow Config File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "977b3082-5f3d-11ec-b954-acde48001122", "description": "The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the \"at\" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux At Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with \"at\" or \"atd\". This activity is significant because the \"At\" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "At application was executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux AWK Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "4510cae0-96a2-4840-9919-91d262db210a", "description": "The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include \"sudo,\" \"awk,\" and \"BEGIN*system\" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Busybox Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-27", "version": 2, "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "description": "The following analytic detects the execution of BusyBox with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant because it indicates a user may be attempting to gain root access, bypassing standard security controls. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and potential persistence within the environment.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux c89 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-30", "version": 2, "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "description": "The following analytic detects the execution of the 'c89' command with elevated privileges, which can be used to compile and execute C programs as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute arbitrary commands as root. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute any command with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux c99 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "description": "The following analytic detects the execution of the c99 utility with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of the c99 utility to gain root access, which is critical for maintaining system security. If confirmed malicious, this could allow an attacker to execute commands as root, potentially compromising the entire system and accessing sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Change File Owner To Root", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1400ea2-6257-11ec-ad49-acde48001122", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may change ownership to root on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Clipboard Data Copy", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Common Process For Elevation Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "description": "The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ with process $process_name$ on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Composer Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "description": "The following analytic detects the execution of the Composer tool with elevated privileges on a Linux system. It identifies instances where Composer is run with the 'sudo' command, allowing the user to execute system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to unauthorized root access. If confirmed malicious, an attacker could gain full control over the system, execute arbitrary commands, and compromise sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Cpulimit Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "description": "The following analytic detects the use of the 'cpulimit' command with specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because if 'cpulimit' is granted sudo rights, a user can potentially execute system commands as root, leading to privilege escalation. If confirmed malicious, this could allow an attacker to gain root access, execute arbitrary commands, and fully compromise the affected system.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Csvtool Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 2, "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "description": "The following analytic detects the execution of the 'csvtool' command with 'sudo' privileges, which can allow a user to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain unauthorized root access. If confirmed malicious, this could lead to full system compromise, allowing an attacker to execute arbitrary commands, escalate privileges, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Curl Upload File", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "description": "The following analytic detects the use of the curl command with specific switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Data Destruction Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "description": "The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux DD File Overwrite", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "description": "The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Decode Base64 to Shell", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "description": "The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like \"base64 -d\" and \"base64 --decode\" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "description": "The following analytic detects the deletion of critical directories on a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Cron Jobs", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "description": "The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the \"/etc/cron.*\" directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Init Daemon Script", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "description": "The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Init daemon script deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion Of Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "description": "The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AcidRain", "AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Deletion of SSL Certificate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "839ab790-a60a-4f81-bfb3-02567063f615", "description": "The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "SSL certificate deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "description": "The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" with commands containing \"disable.\" This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Doas Conf File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "f6343e86-6e09-11ec-9376-acde48001122", "description": "The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Doas Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "d5a62490-6e09-11ec-884e-acde48001122", "description": "The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Docker Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "description": "The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Edit Cron Table Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "0d370304-5f26-11ec-a4bb-acde48001122", "description": "The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab edit command $process$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Emacs Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "description": "The following analytic detects the execution of Emacs with elevated privileges using the `sudo` command and the `--eval` option. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by running Emacs with elevated permissions. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Created In Kernel Driver Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "b85bbeec-6326-11ec-9311-acde48001122", "description": "The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Creation In Init Boot Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "description": "The following analytic detects the creation of files in Linux init boot directories, which are used for automatic execution upon system startup. It leverages file system logs to identify new files in directories such as /etc/init.d/ and /etc/rc.d/. This activity is significant as it is a common persistence technique used by adversaries, malware authors, and red teamers. If confirmed malicious, this could allow an attacker to maintain persistence on the compromised host, potentially leading to further exploitation and unauthorized control over the system.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux File Creation In Profile Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46ba0082-61af-11ec-9826-acde48001122", "description": "The following analytic detects the creation of files in the /etc/profile.d directory on Linux systems. It leverages filesystem data to identify new files in this directory, which is often used by adversaries for persistence by executing scripts upon system boot. This activity is significant as it may indicate an attempt to maintain long-term access to the compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges each time the system boots, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Find Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "description": "The following analytic detects the use of the 'find' command with 'sudo' and '-exec' options, which can indicate an attempt to escalate privileges on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could enable an attacker to gain full control over the system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux GDB Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "description": "The following analytic detects the execution of the GNU Debugger (GDB) with specific flags that indicate an attempt to escalate privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could result in full system compromise, allowing an attacker to gain complete control over the affected endpoint.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Gem Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "description": "The following analytic detects the execution of the RubyGems utility with elevated privileges, specifically when it is used to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"gem open -e\" and \"sudo\". This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as the root user. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux GNU Awk Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "description": "The following analytic detects the execution of the 'gawk' command with elevated privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' and 'BEGIN{system' patterns. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full root access, enabling the attacker to control the system, modify critical files, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Hardware Addition SwapOff", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "description": "The following analytic detects the execution of the \"swapoff\" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ swap off paging device in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "description": "The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "9d867448-2aff-4d07-876c-89409a752ff8", "description": "The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Impair Defenses Process Kill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "description": "The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Indicator Removal Clear Cache", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "description": "The following analytic detects processes that clear or free page cache on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line executions involving the kernel system request `drop_caches`. This activity is significant as it may indicate an attempt to delete forensic evidence or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior could allow an attacker to cover their tracks, making it difficult to investigate other malicious activities or system compromises.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Indicator Removal Service File Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "description": "The following analytic detects the deletion of Linux service unit configuration files by suspicious processes. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes executing the 'rm' command targeting '.service' files. This activity is significant as it may indicate malware attempting to disable critical services or security products, a common defense evasion tactic. If confirmed malicious, this behavior could lead to service disruption, security tool incapacitation, or complete system compromise, severely impacting the integrity and availability of the affected Linux host.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ingress Tool Transfer Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "description": "The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ingress Tool Transfer with Curl", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "description": "The following analytic detects the use of the curl command with specific switches (-O, -sO, -ksO, --output) commonly used to download remote scripts or binaries. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to download and execute potentially malicious files, often used in initial stages of an attack. If confirmed malicious, this could lead to unauthorized code execution, enabling attackers to compromise the system further.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "18b5a1a0-6326-11ec-943a-acde48001122", "description": "The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "387b278a-6326-11ec-aa2c-acde48001122", "description": "The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Iptables Firewall Modification", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "description": "The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process name - $process_name$ that may modify iptables firewall on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Java Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "7b09db8a-5c20-11ec-9945-acde48001122", "description": "The following analytic detects instances where Java, Apache, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Kernel Module Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "6df99886-0e04-4c11-8b88-325747419278", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Kworker Process In Writable Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "description": "The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ with kworker commandline in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Make Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "80b22836-5091-4944-80ee-f733ac443f4f", "description": "The following analytic detects the use of the 'make' command with elevated privileges to execute system commands as root, potentially leading to a root shell. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include 'make', '--eval', and 'sudo'. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux MySQL Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "c0d810f4-230c-44ea-b703-989da02ff145", "description": "The following analytic detects the execution of MySQL commands with elevated privileges using sudo, which can lead to privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of MySQL to execute system commands as root, which could allow an attacker to gain root shell access. If confirmed malicious, this could result in full control over the affected system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "description": "The following analytic detects the use of Ngrok on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with Ngrok. This activity is significant because Ngrok can be used by adversaries to establish reverse proxies, potentially bypassing network defenses. If confirmed malicious, this could allow attackers to create persistent, unauthorized access channels, facilitating data exfiltration or further exploitation of the compromised system.", "references": ["https://ngrok.com/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Node Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 2, "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "description": "The following analytic identifies the execution of Node.js with elevated privileges using sudo, specifically when spawning child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific Node.js commands. This activity is significant because running Node.js as a superuser without dropping privileges can allow unauthorized access to the file system and potential privilege escalation. If confirmed malicious, this could enable an attacker to maintain privileged access, execute arbitrary code, and compromise sensitive data within the environment.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "description": "The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing \"NOPASSWD:\". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "description": "The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"base64 -d\" or \"base64 --decode\". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Octave Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 2, "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "description": "The following analytic detects the execution of GNU Octave with elevated privileges, specifically when it runs system commands via sudo. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments that include \"octave-cli,\" \"--eval,\" \"system,\" and \"sudo.\" This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands, severely impacting system security and integrity.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux OpenVPN Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "description": "The following analytic detects the execution of OpenVPN with elevated privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, and `sudo` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "description": "The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux PHP Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "description": "The following analytic detects the execution of PHP commands with elevated privileges on a Linux system. It identifies instances where PHP is used in conjunction with 'sudo' and 'system' commands, indicating an attempt to run system commands as the root user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to full root access. If confirmed malicious, this could allow an attacker to execute arbitrary commands with root privileges, compromising the entire system.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux pkexec Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "description": "The following analytic detects the execution of `pkexec` without any command-line arguments. This behavior leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry. The significance lies in the fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this activity could allow an attacker to gain full root privileges on the affected Linux system, leading to complete system compromise and potential unauthorized access to sensitive information.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "7a85eb24-72da-11ec-ac76-acde48001122", "description": "The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access To Credential Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "16107e0e-71fc-11ec-b862-acde48001122", "description": "The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Access To Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "4479539c-71fc-11ec-b2e2-acde48001122", "description": "The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Command To At Allow Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "7bc20606-5f40-11ec-a586-acde48001122", "description": "The following analytic detects suspicious command lines that append user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving these files. This activity is significant because altering these configuration files can allow attackers to schedule tasks with elevated permissions, facilitating persistence on a compromised Linux host. If confirmed malicious, this could enable attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify at allow config file in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Command To Profile Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9c94732a-61af-11ec-91e3-acde48001122", "description": "The following analytic detects suspicious command-lines that modify user profile files to automatically execute scripts or executables upon system reboot. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving profile files like ~/.bashrc and /etc/profile. This activity is significant as it indicates potential persistence mechanisms used by adversaries to maintain access to compromised hosts. If confirmed malicious, this could allow attackers to execute arbitrary code upon reboot, leading to persistent control over the system and potential further exploitation.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may modify profile files in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "description": "The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Cronjob Modification With Editor", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano,\" \"vi,\" or \"vim.\" It identifies this activity by monitoring command-line executions that interact with cronjob configuration paths. This behavior is significant for a SOC as it may indicate attempts at privilege escalation or establishing persistent access. If confirmed malicious, the impact could be severe, allowing attackers to execute damaging actions such as data theft, system sabotage, or further network penetration.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Possible Ssh Key File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "c04ef40c-72da-11ec-8eac-acde48001122", "description": "The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Preload Hijack Library Calls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "cbe2ca30-631e-11ec-8670-acde48001122", "description": "The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may hijack library function on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Proxy Socks Curl", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "description": "The following analytic detects the use of the `curl` command with proxy-related arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an adversary attempting to use a proxy to evade network monitoring and obscure their actions. If confirmed malicious, this behavior could allow attackers to bypass security controls, making it difficult to track their activities and potentially leading to unauthorized data access or exfiltration.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Puppet Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "description": "The following analytic detects the execution of Puppet commands with elevated privileges, specifically when Puppet is used to apply configurations with sudo rights. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access and execute system commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux RPM Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "description": "The following analytic detects the execution of the RPM Package Manager with elevated privileges, specifically when it is used to run system commands as root via the `--eval` and `lua:os.execute` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, this could lead to full system compromise, unauthorized access to sensitive data, and further exploitation of the environment.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Ruby Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-25", "version": 2, "id": "097b28b5-7004-4d40-a715-7e390501788b", "description": "The following analytic detects the execution of Ruby commands with elevated privileges on a Linux system. It identifies processes where Ruby is used with the `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response (EDR) telemetry. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access, execute arbitrary commands, and maintain persistent control over the affected system.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service File Created In Systemd Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "c7495048-61b6-11ec-9a37-acde48001122", "description": "The following analytic detects the creation of suspicious service files within the systemd directories on Linux platforms. It leverages logs containing file name, file path, and process GUID data from endpoints. This activity is significant for a SOC as it may indicate an adversary attempting to establish persistence on a compromised host. If confirmed malicious, this could lead to system compromise or data exfiltration, allowing attackers to maintain control over the system and execute further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service Restarted", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "084275ba-61b8-11ec-8d64-acde48001122", "description": "The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create or start a service on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Service Started Or Enabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "e0428212-61b7-11ec-88a3-acde48001122", "description": "The following analytic detects the creation or enabling of services on Linux platforms using the systemctl or service tools. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names, parent processes, and command-line executions. This activity is significant as adversaries may create or modify services to maintain persistence or execute malicious payloads. If confirmed malicious, this behavior could lead to persistent access, data theft, ransomware deployment, or other damaging outcomes. Monitoring and investigating such activities are crucial for maintaining the security and integrity of the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may create or start a service on $dest", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") AND NOT (Processes.os=\"Microsoft Windows\" OR Processes.vendor_product=\"Microsoft Windows\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Setuid Using Chmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "description": "The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Setuid Using Setcap Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "9d96022e-6250-11ec-9a19-acde48001122", "description": "The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Shred Overwrite Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1952cf1-643c-4965-82de-11c067cbae76", "description": "The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible shred overwrite command $process$ executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sqlite3 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "description": "The following analytic detects the execution of the sqlite3 command with elevated privileges, which can be exploited for privilege escalation. It leverages Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 is used in conjunction with shell commands and sudo. This activity is significant because it indicates a potential attempt to gain root access, which could lead to full system compromise. If confirmed malicious, an attacker could execute arbitrary commands as root, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux SSH Authorized Keys Modification", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "description": "The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like \"bash\" and \"cat\" interacting with \"authorized_keys\" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux SSH Remote Services Script Execute", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "description": "The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Stdout Redirection To Dev Null File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "description": "The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Stop Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "description": "The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sudo OR Su Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "description": "The following analytic detects the execution of the \"sudo\" or \"su\" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because \"sudo\" and \"su\" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that execute sudo or su in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Sudoers Tmp File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "be254a5c-63e7-11ec-89da-acde48001122", "description": "The following analytic detects the creation of the \"sudoers.tmp\" file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of \"sudoers.tmp\" files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system's security.", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux System Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "535cb214-8b47-11ec-a2c7-acde48001122", "description": "The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as \"arp,\" \"ifconfig,\" \"ip,\" \"netstat,\" \"firewall-cmd,\" \"ufw,\" \"iptables,\" \"ss,\" and \"route\" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2", "Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Network discovery process $process_name_list$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux System Reboot Via System Request Key", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "description": "The following analytic detects the execution of the SysReq hack to reboot a Linux system host. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This activity is significant as it is an uncommon method to reboot a system and was observed in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate the presence of suspicious processes and potential system compromise, leading to unauthorized reboots and disruption of services.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "description": "The following analytic detects the execution of a command to enable all SysRq functions on a Linux system, a technique associated with the AwfulShred malware. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant as it can indicate an attempt to manipulate kernel system requests, which is uncommon and potentially malicious. If confirmed, this could allow an attacker to reboot the system or perform other critical actions, leading to system instability or further compromise.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Linux Visudo Utility Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "08c41040-624c-11ec-a71f-acde48001122", "description": "The following analytic detects the execution of the 'visudo' utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Living Off The Land Detection", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "description": "The following correlation identifies multiple risk events associated with the \"Living Off The Land\" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "living_off_the_land_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Loading Of Dynwrapx Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "eac5e8ba-4857-11ec-9371-acde48001122", "description": "The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "dynwrapx.dll loaded by process $process_name$ on $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Local Account Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "5d0d4830-0133-11ec-bae3-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Local Account Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "4902d7aa-0134-11ec-9d65-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "author": "Jose Hernandez, Splunk", "date": "2024-05-26", "version": 4, "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "description": "The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Log4Shell Exploitation detected against $risk_object$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Logon Script Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "description": "The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "LOLBAS With Network Traffic", "author": "Steven Dick", "date": "2024-05-11", "version": 2, "id": "2820f032-19eb-497e-8642-25b04a880359", "description": "The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS - Re-opened Applications", "author": "Jamie Windley, Splunk", "date": "2024-05-14", "version": 2, "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "description": "The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS LOLbin", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 3, "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "description": "The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as \"find\", \"crontab\", \"screencapture\", \"openssl\", \"curl\", \"wget\", \"killall\", and \"funzip\". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiplle LOLbin are executed on host $dest$ by user $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MacOS plutil", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 4, "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "description": "The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "plutil are executed on $dest$ from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mailsniper Invoke functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 3, "id": "a36972c8-b894-11eb-9f78-acde48001122", "description": "The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious InProcServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "127c8d08-25ff-11ec-9223-acde48001122", "description": "The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious Powershell Executed As A Service", "author": "Ryan Becwar", "date": "2024-05-20", "version": 3, "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "description": "The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_ImagePath=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process - Encoded Command", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 8, "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "description": "The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators may use this option, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 6, "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "description": "The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like \"-ex\" or \"bypass.\" This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "PowerShell local execution policy bypass attempt on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 6, "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "description": "The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "13bbd574-83ac-11ec-99d4-acde48001122", "description": "The following analytic detects the use of Mimikatz command line parameters associated with pass-the-ticket attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns related to Kerberos ticket manipulation. This activity is significant because pass-the-ticket attacks allow adversaries to move laterally within an environment using stolen Kerberos tickets, bypassing normal access controls. If confirmed malicious, this could enable attackers to escalate privileges, access sensitive information, and maintain persistence within the network.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `mmc.exe` is the parent process. This activity is significant because adversaries can abuse the DCOM protocol and MMC20 COM object to execute malicious code, using Windows native binaries documented by the LOLBAS project. If confirmed malicious, this behavior could indicate lateral movement, allowing attackers to execute code remotely, potentially leading to further compromise and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Modification Of Wallpaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "accb0712-c381-11eb-8e5b-acde48001122", "description": "The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the \"Control Panel\\\\Desktop\\\\Wallpaper\" and \"Control Panel\\\\Desktop\\\\WallpaperStyle\" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wallpaper modification on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =13 (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Image != \"*\\\\explorer.exe\") OR (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Details IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Modify ACL permission To Files Or Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "description": "The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cacls.exe,\" \"icacls.exe,\" and \"xcacls.exe\" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious ACL permission modification on $dest$", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may use this command. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Registry Keys for Print Monitors", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 6, "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "description": "The following analytic detects modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "New print monitor added on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "985f322c-57a5-11ec-b9ac-acde48001122", "description": "The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Scripting Process Loading Ldap Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "description": "The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MS Scripting Process Loading WMI Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "2eba3d36-14a6-11ec-a682-acde48001122", "description": "The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSBuild Suspicious Spawned By Script Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "213b3148-24ea-11ec-93a2-acde48001122", "description": "The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "description": "The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSHTML Module Load in Office Product", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "5f1c168e-118b-11ec-84ff-acde48001122", "description": "The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") loaded_file_path IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "MSI Module Loaded by Non-System Binary", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccb98a66-5851-11ec-b91c-acde48001122", "description": "The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/AlexandrVIvanov/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Msmpeng Application DLL Side Loading", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-16", "version": 4, "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "description": "The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Net Localgroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "54f5201e-155b-11ec-a6e2-acde48001122", "description": "The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "NET Profiler UAC bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "description": "The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Arp", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "description": "The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Connection Discovery With Netstat", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "description": "The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Discovery Using Route Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "dd83407e-439f-11ec-ab8e-acde48001122", "description": "The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Share Discovery Via Dir Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "description": "The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "description": "The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `network_traffic_to_active_directory_web_services_protocol_filter`", "how_to_implement": "The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "network_traffic_to_active_directory_web_services_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Nishang PowershellTCPOneLine", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "description": "The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "NLTest Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "description": "The following analytic identifies the execution of `nltest.exe` with command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to understand domain trust relationships, which can inform their lateral movement strategies. If confirmed malicious, this activity could enable attackers to map out trusted domains, facilitating further compromise and pivoting within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain trust discovery execution on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "81263de4-160a-11ec-944f-acde48001122", "description": "The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non chrome browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e6fc13b0-1609-11ec-b533-acde48001122", "description": "The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non firefox browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Notepad with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "description": "The following analytic identifies instances where Notepad.exe is launched without any command line arguments, a behavior commonly associated with the SliverC2 framework. This detection leverages process creation events from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by Notepad.exe within a short time frame. This activity is significant as it may indicate an attempt to inject malicious code into Notepad.exe, a known tactic for evading detection. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ntdsutil Export NTDS", "author": "Michael Haag, Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 2, "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Active Directory NTDS export on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Drop Executable", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "date": "2024-05-14", "version": 5, "id": "73ce70c4-146d-11ec-9184-acde48001122", "description": "The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Spawn Regsvr32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a Regsvr32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as IcedID, to initiate infections. If confirmed malicious, this behavior could lead to code execution, allowing attackers to gain control over the affected system and potentially escalate privileges.", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning regsvr32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Application Spawn rundll32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "958751e4-9c5f-11eb-b103-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a rundll32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as Trickbot, to initiate infections. If confirmed malicious, this behavior could lead to code execution, further system compromise, and potential data exfiltration.", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning rundll32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Creating Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 7, "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "description": "The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An Office document was identified creating a scheduled task on $dest$. Investigate further.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") loaded_file_path = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Executing Macro Code", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 6, "id": "b12c89bc-9d06-11eb-a592-acde48001122", "description": "The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", "https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document executing a macro on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") loaded_file_path IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Document Spawned Child Process To Download", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 7, "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "description": "The following analytic identifies Office applications spawning child processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications like Word or Excel initiate network connections, excluding common browsers. This activity is significant as it often indicates the use of malicious documents to execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further malware deployment, posing a severe threat to the organization's security.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document spawning suspicious child process on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Default browser not in the filter list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawn CMD Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 6, "id": "b8b19420-e892-11eb-9244-acde48001122", "description": "The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\" OR Processes.parent_process_name=\"Graph.exe\" OR Processes.parent_process_name=\"winproj.exe\") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning BITSAdmin", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 6, "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` is commonly used for malicious file transfers, potentially indicating a malware infection. If confirmed malicious, this activity could allow attackers to download additional payloads, escalate privileges, or establish persistence, leading to further compromise of the affected system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` is frequently used for downloading malicious payloads from remote URLs. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further system compromise. Immediate investigation and containment are crucial to prevent potential damage.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning MSHTA", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "6078fa20-a6d2-11eb-b662-acde48001122", "description": "The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common technique used by malware families like TA551 and IcedID to execute malicious scripts or payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"analytic_story": ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 6, "id": "c661f6be-a38c-11eb-be57-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, which can lead to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "description": "The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Spawning Wmic", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 7, "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it is commonly associated with the Ursnif malware family, indicating potential malicious activity. If confirmed malicious, this could allow an attacker to execute arbitrary commands, leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Product Writing cab or inf", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "f48cd1d4-125a-11ec-a447-acde48001122", "description": "The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Office Spawning Control", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "053e027c-10c7-11ec-8437-acde48001122", "description": "The following analytic identifies instances where `control.exe` is spawned by a Microsoft Office product. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it can indicate exploitation attempts related to CVE-2021-40444, where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "author": "Mauricio Velazco, Lou Stella, Splunk", "date": "2024-05-26", "version": 3, "id": "d2c14d28-5c47-11ec-9892-acde48001122", "description": "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Overwriting Accessibility Binaries", "author": "David Dorsey, Splunk", "date": "2024-05-25", "version": 5, "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "description": "The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "395163b8-689b-444b-86c7-9fe9ad624734", "description": "The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Password Policy Discovery with Net", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "09336538-065a-11ec-8665-acde48001122", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Permission Modification using Takeown App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "description": "The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PetitPotam Network Share Access Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "95b8061a-0a67-11ec-85ec-acde48001122", "description": "The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` SubjectUserName=\"ANONYMOUS LOGON\" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 3, "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "description": "The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 src!=\"::1\" TargetUserName=*$ CertThumbprint!=\"\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ping Sleep Batch Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "ce058d6c-79f2-11ec-b476-acde48001122", "description": "The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis. If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious $process$ commandline run in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Possible Browser Pass View Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "description": "The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches.", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positive is quite limited. Filter is needed", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 3, "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "description": "The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN (\"*c:\\windows\\ccm\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Potential password in username", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-11", "version": 2, "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "description": "The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Potentially malicious code on commandline", "author": "Michael Hart, Splunk", "date": "2024-05-12", "version": 2, "id": "9c53c446-757e-11ec-871d-acde48001122", "description": "The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as \"streamreader,\" \"webclient,\" \"mutex,\" \"function,\" and \"computehash,\" which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$]", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell 4104 Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "d6f2b006-0041-11ec-8885-acde48001122", "description": "The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex=if(match(ScriptBlockText, \"(?i)iex|invoke-expression\"),2,0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "author": "David Dorsey, Michael Haag Splunk", "date": "2024-05-12", "version": 9, "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "description": "The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"analytic_story": ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "description": "The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Creating Thread Mutex", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 4, "id": "637557ec-ca08-11eb-bd0a-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains Thread Mutex on host $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Disable Security Monitoring", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 4, "id": "c148a894-dd93-11eb-bf2a-acde48001122", "description": "The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Domain Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "description": "The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Enable PowerShell Remoting", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "description": "The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Enable SMB1Protocol Feature", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "afed80b2-d34b-11eb-a952-acde48001122", "description": "The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Execute COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "65711630-f9bf-11eb-8d72-acde48001122", "description": "The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains COM CLSID command on host $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "a26d9db4-c883-11eb-9d75-acde48001122", "description": "The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains GetProcAddress API on host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "8acbc04c-c882-11eb-b060-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains base64 command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Get LocalGroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b71adfcc-155b-11ec-9413-acde48001122", "description": "The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "description": "The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on endpoint $dest$ by user $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "651ee958-a433-471c-b264-39725b788b83", "description": "The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Invoke WmiExec Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "description": "The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Load Module in Meterpreter", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5905da5-d050-48db-9259-018d8f034fcf", "description": "The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as \"MSF.Powershell\" and \"MSF.Powershell.Meterpreter\". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "description": "The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Processing Stream Of Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remote Services Add TrustedHost", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "description": "The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a powershell script adding a remote trustedhost on $dest$ .", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*WSMan:\\\\localhost\\\\Client\\\\TrustedHosts*\" ScriptBlockText IN (\"* -Value *\", \"* -Concatenate *\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "user and network administrator may used this function to add trusted host.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_remote_services_add_trustedhost_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remote Thread To Known Windows Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "description": "The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Remove Windows Defender Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "adf47620-79fa-11ec-b248-acde48001122", "description": "The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing \"rmdir\" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Script Block With URL Chain", "author": "Steven Dick", "date": "2024-05-30", "version": 2, "id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_script_block_with_url_chain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Start-BitsTransfer", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "39e2605a-90d8-11eb-899e-acde48001122", "description": "The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network.", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell Start or Stop Service", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "description": "The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Using memory As Backing Store", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains memorystream command on host $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell WebRequest Using Memory Stream", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "103affa6-924a-4b53-aff4-1d5075342aab", "description": "The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_webrequest_using_memory_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Powershell Windows Defender Exclusion Commands", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "description": "The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $ScriptBlockText$ executed on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Add-MpPreference *\" OR ScriptBlockText = \"*Set-MpPreference *\") AND ScriptBlockText = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "description": "The following analytic detects the execution of \"bcdedit.exe\" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"analytic_story": ["Chaos Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Processor Registry Autostart", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "1f5b68aa-2037-11ec-898e-acde48001122", "description": "The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Spooler Adding A Printer Driver", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "313681a2-da8e-11eb-adad-acde48001122", "description": "The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as \"kernelbase.dll\" and \"UNIDRV.DLL.\" This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Print Spooler Failed to Load a Plug-in", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adc9548-da7c-11eb-8f13-acde48001122", "description": "The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as \"meterpreter.dll,\" with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Creating LNK file in Suspicious Location", "author": "Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-15", "version": 7, "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "description": "The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\Users\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Deleting Its Process File Path", "author": "Teoderick Contreras", "date": "2024-05-27", "version": 3, "id": "f7eda4bc-871c-11eb-b110-acde48001122", "description": "The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-22", "version": 6, "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "description": "The following analytic detects the execution of a process by `WmiPrvSE.exe`, indicating potential use of WMI (Windows Management Instrumentation) for process creation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as WMI can be used for lateral movement, remote code execution, or persistence by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary commands or scripts, potentially leading to further compromise of the affected system or network.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN (\"*\\\\dismhost.exe*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Kill Base On File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "description": "The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Process Writing DynamicWrapperX", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b0a078e4-2601-11ec-9aec-acde48001122", "description": "The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes launching netsh", "author": "Michael Haag, Josef Kuepker, Splunk", "date": "2024-05-24", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "description": "The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes Tapping Keyboard Events", "author": "Jose Hernandez, Splunk", "date": "2024-05-13", "version": 2, "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "description": "The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Scheduled Task Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "description": "The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Windows Service Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "description": "The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ransomware Notes bulk creation", "author": "Teoderick Contreras", "date": "2024-05-25", "version": 2, "id": "eff7919a-8330-11eb-83f8-acde48001122", "description": "The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A high frequency file creation of $file_name$ in different file path in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recon AVProduct Through Pwh or WMI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "28077620-c9f6-11eb-8785-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like \"SELECT,\" \"WMIC,\" \"AntiVirusProduct,\" or \"AntiSpywareProduct.\" This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains AV recon command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recon Using WMI Class", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "018c1972-ca07-11eb-9473-acde48001122", "description": "The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains host recon commands detected on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Recursive Delete of Directory In Batch CMD", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 4, "id": "ba570b3a-d356-11eb-8358-acde48001122", "description": "The following analytic detects the execution of a batch command designed to recursively delete files or directories, a technique often used by ransomware like Reddot to delete files in the recycle bin and prevent recovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific flags for recursive and quiet deletions. This activity is significant as it indicates potential ransomware behavior aimed at data destruction. If confirmed malicious, it could lead to significant data loss and hinder recovery efforts, severely impacting business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 6, "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "description": "The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise.", "references": [], "tags": {"analytic_story": ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys for Creating SHIM Databases", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 7, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "description": "The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys Used For Persistence", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "date": "2024-05-25", "version": 10, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "description": "The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.", "references": [], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\" OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\" OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Registry Keys Used For Privilege Escalation", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 8, "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "description": "The following analytic detects modifications to registry keys under \"Image File Execution Options\" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "f421c250-24e7-11ec-bc43-acde48001122", "description": "The following analytic detects the loading of a DLL using the regsvr32 application with the silent parameter and DLLInstall execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent process details. This activity is significant as it is commonly used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised machines. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, and further compromise the system.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "description": "The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remcos client registry install entry", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "description": "The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-24", "version": 3, "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "description": "The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing \"remcos.\" This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "file $file_name$ created in $file_path$ of $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Process Running On System", "author": "David Dorsey, Splunk", "date": "2024-05-24", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "description": "The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint by abusing the DCOM protocol, specifically targeting ShellExecute and ExecuteShellCommand. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant as it indicates potential lateral movement and remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, escalate privileges, and move laterally within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "description": "The following analytic detects the execution of `winrs.exe` with command-line arguments used to start a process on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 8, "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "description": "The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` using the `Invoke-WmiMethod` cmdlet to start a process on a remote endpoint via WMI. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it indicates potential lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 3, "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration with adsisearcher on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "description": "The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote System Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "description": "The following analytic detects the execution of `wmic.exe` with specific command-line arguments used to discover remote systems within a domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out network resources and Active Directory structures. If confirmed malicious, this behavior could allow attackers to gain situational awareness, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote WMI Command Attempt", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-17", "version": 5, "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "description": "The following analytic detects the execution of `wmic.exe` with the `node` switch, indicating an attempt to spawn a local or remote process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, the attacker could gain remote control over the targeted system, execute arbitrary commands, and potentially escalate privileges or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Resize ShadowStorage volume", "author": "Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "description": "The following analytic identifies the resizing of shadow storage volumes, a technique used by ransomware like CLOP to prevent the recreation of shadow volumes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"vssadmin.exe\" with parameters related to resizing shadow storage. This activity is significant as it indicates an attempt to hinder recovery efforts by manipulating shadow copies. If confirmed malicious, this could lead to successful ransomware deployment, making data recovery difficult and increasing the potential for data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Revil Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "85facebe-c382-11eb-9c3e-acde48001122", "description": "The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as \"-nolan\", \"-nolocal\", \"-fast\", and \"-full\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Revil Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "description": "The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rubeus Command Line Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "cca37478-8377-11ec-b59a-acde48001122", "description": "The following analytic detects the use of Rubeus command line parameters, a toolset for Kerberos attacks within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as Rubeus is commonly used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Rubeus command line parameters were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "5ed8c50a-8869-11ec-876f-acde48001122", "description": "The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Runas Execution in CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "4807e716-43a4-11ec-a0e7-acde48001122", "description": "The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "elevated process using runas on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Control RunDLL Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "description": "The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "description": "The following analytic detects the execution of rundll32.exe with the `Control_RunDLL` command, loading files from world-writable directories such as windows\\temp, programdata, or appdata. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process command-line data and specific directory paths. This activity is significant as it may indicate an attempt to exploit CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Create Remote Thread To A Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "description": "The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "f8a22586-ee2d-11eb-a193-acde48001122", "description": "The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 DNSQuery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ made a DNS query for $query$ from host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 LockWorkStation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "fa90f372-f91d-11eb-816c-acde48001122", "description": "The following analytic detects the execution of the rundll32.exe command with the user32.dll,LockWorkStation parameter, which is used to lock the workstation via command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is an uncommon method to lock a screen and has been observed in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique could indicate an attempt to evade detection and hinder incident response efforts.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "6338266a-ee2a-11eb-bf68-acde48001122", "description": "The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "rundll32 process drops a file $file_name$ on host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 Shimcache Flush", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "a913718a-25b6-11ec-96d3-acde48001122", "description": "The following analytic detects the execution of a suspicious rundll32 command line used to clear the shim cache. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because clearing the shim cache is an anti-forensic technique aimed at evading detection and removing forensic artifacts. If confirmed malicious, this action could hinder incident response efforts, allowing an attacker to cover their tracks and maintain persistence on the compromised machine.", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"analytic_story": ["Living Off The Land", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-21", "version": 5, "id": "35307032-a12d-11eb-835f-acde48001122", "description": "The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "RunDLL Loading DLL By Ordinal", "author": "Michael Haag, David Dorsey, Splunk", "date": "2024-05-20", "version": 7, "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "description": "The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ryuk Test Files Detected", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 2, "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "description": "The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A creation of ryuk test file $file_path$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ryuk Wake on LAN Command", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "538d0152-7aaa-11eb-beaa-acde48001122", "description": "The following analytic detects the use of Wake-on-LAN commands associated with Ryuk ransomware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line activities. This behavior is significant as Ryuk ransomware uses Wake-on-LAN to power on devices in a compromised network, increasing its encryption success rate. If confirmed malicious, this activity could lead to widespread ransomware encryption across multiple endpoints, causing significant operational disruption and data loss. Immediate isolation and thorough investigation of the affected endpoints are crucial to mitigate the impact.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no known false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SAM Database File Access Attempt", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "57551656-ebdb-11eb-afdf-acde48001122", "description": "The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\\system32\\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "ObjectName", "type": "File", "role": ["Attacker"]}], "message": "The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` (EventCode=4663) ProcessName!=*\\\\dllhost.exe ObjectName IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Samsam Test File Write", "author": "Rico Valdez, Splunk", "date": "2024-05-14", "version": 2, "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "description": "The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sc exe Manipulating Windows Services", "author": "Rico Valdez, Splunk", "date": "2024-05-20", "version": 5, "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "description": "The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "991eb510-0fc6-11ec-82d3-acde48001122", "description": "The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $Image$ create a file $TargetFilename$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schedule Task with HTTP Command Arguments", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "523c2684-a101-11eb-916b-acde48001122", "description": "The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"analytic_story": ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "description": "The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "4be54858-432f-11ec-8209-3e22fbd008af", "description": "The following analytic detects the creation of scheduled tasks on remote Windows endpoints using the at.exe command. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events involving at.exe with remote command-line arguments. Identifying this activity is significant for a SOC as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this activity could lead to unauthorized access, persistence, or execution of malicious code, potentially resulting in data theft or further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 7, "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "description": "The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "description": "The following analytic detects the use of 'schtasks.exe' to start a Scheduled Task on a remote endpoint. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process details such as process name, parent process, and command-line executions. This activity is significant as adversaries often abuse Task Scheduler for lateral movement and remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary code remotely, potentially leading to further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks Run Task On Demand", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "bb37061e-af1f-11eb-a159-acde48001122", "description": "The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks scheduling job on remote system", "author": "David Dorsey, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 7, "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "description": "The following analytic detects the use of 'schtasks.exe' to create a scheduled task on a remote system, indicating potential lateral movement or remote code execution. It leverages process data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments and flags. This activity is significant as it may signify an adversary's attempt to persist or execute code remotely. If confirmed malicious, this could allow attackers to maintain access, execute arbitrary commands, or further infiltrate the network, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Schtasks used for forcing a reboot", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 5, "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "description": "The following analytic detects the use of 'schtasks.exe' to schedule forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint process data to identify instances where these specific command-line arguments are used. This activity is significant because it may indicate an adversary attempting to disrupt operations or force a reboot to execute further malicious actions. If confirmed malicious, this could lead to system downtime, potential data loss, and provide an attacker with an opportunity to execute additional payloads or evade detection.", "references": [], "tags": {"analytic_story": ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Screensaver Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "description": "The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Script Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "description": "The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process_name$ that execute script in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sdclt UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 4, "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "description": "The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sdelete Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "31702fc0-2682-11ec-85c3-acde48001122", "description": "The following analytic detects the execution of the sdelete.exe application, a Sysinternals tool often used by adversaries to securely delete files and remove forensic evidence from a targeted host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as sdelete.exe is not commonly used in regular operations and its presence may indicate an attempt to cover malicious activities. If confirmed malicious, this could lead to the loss of critical forensic data, hindering incident response and investigation efforts.", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "sdelete process $process_name$ executed in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may execute and use this application", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SearchProtocolHost with no Command Line with Network", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 4, "id": "b690df8c-a145-11eb-a38b-acde48001122", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments but with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because searchprotocolhost.exe typically runs with specific command line arguments, and deviations from this norm can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to establish network connections for command and control, potentially leading to data exfiltration or further system compromise.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "5672819c-be09-11eb-bbfb-acde48001122", "description": "The following analytic detects the potential use of the secretsdump.py tool to dump NTLM hashes from a copy of ntds.dit and the SAM, SYSTEM, and SECURITY registry hives. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and process names associated with secretsdump.py. This activity is significant because it indicates an attempt to extract sensitive credential information offline, which is a common post-exploitation technique. If confirmed malicious, this could allow an attacker to obtain NTLM hashes, facilitating further lateral movement and potential privilege escalation within the network.", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "13243068-2d38-11ec-8908-acde48001122", "description": "The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of attempting to identify service principle detected on $dest$ names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "description": "The following analytic detects the use of `setspn.exe` to query the domain for Service Principal Names (SPNs). This detection leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with `setspn.exe`. Monitoring this activity is crucial as it often precedes Kerberoasting or Silver Ticket attacks, which can lead to credential theft. If confirmed malicious, an attacker could use the gathered SPNs to escalate privileges or persist within the environment, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services Escalate Exe", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "c448488c-b7ec-11eb-8253-acde48001122", "description": "The following analytic identifies the execution of a randomly named binary via `services.exe`, indicative of privilege escalation using Cobalt Strike's `svc-exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process lineage and command-line executions. This activity is significant as it often follows initial access, allowing adversaries to escalate privileges and establish persistence. If confirmed malicious, this behavior could enable attackers to execute arbitrary code, maintain long-term access, and potentially move laterally within the network, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "description": "The following analytic identifies `services.exe` spawning a LOLBAS (Living Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `services.exe` is the parent process. This activity is significant because adversaries often abuse the Service Control Manager to execute malicious code via native Windows binaries, facilitating lateral movement. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Services.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "author": "Steven Dick, Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 9, "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "description": "The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.", "references": [], "tags": {"analytic_story": ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database File Creation", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 4, "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "description": "The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\\AppPatch\\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database Installation With Suspicious Parameters", "author": "David Dorsey, Splunk", "date": "2024-05-09", "version": 5, "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "description": "The following analytic detects the execution of sdbinst.exe with parameters indicative of silently creating a shim database. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because shim databases can be used to intercept and manipulate API calls, potentially allowing attackers to bypass security controls or achieve persistence. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Scheduled Task", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "6fa31414-546e-11ec-adfa-acde48001122", "description": "The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created and deleted in 30 seconds on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Windows Accounts", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 4, "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "description": "The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame. It leverages the \"Change\" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user account created or delete shortly in host $dest$", "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SilentCleanup UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "description": "The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path \"*\\\\Environment\\\\windir\" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence.", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Single Letter Process On Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "description": "The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with single letter in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI RunAs Elevated", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "8d124810-b3e4-11eb-96c7-acde48001122", "description": "The following analytic detects the execution of the Microsoft Software Licensing User Interface Tool (`slui.exe`) with elevated privileges using the `-verb runas` function. This activity is identified through logs from Endpoint Detection and Response (EDR) agents, focusing on specific registry keys and command-line parameters. This behavior is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to gain elevated access and execute malicious actions with higher privileges. If confirmed malicious, this could lead to unauthorized system changes, data exfiltration, or further compromise of the affected endpoint.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "description": "The following analytic detects the Microsoft Software Licensing User Interface Tool (`slui.exe`) spawning a child process. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `slui.exe` is the parent process. This activity is significant because `slui.exe` should not typically spawn child processes, and doing so may indicate a UAC bypass attempt, leading to elevated privileges. If confirmed malicious, an attacker could leverage this to execute code with elevated privileges, potentially compromising the system's security and gaining unauthorized access.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spike in File Writes", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 4, "id": "fdb0f805-74e4-4539-8c00-618927333aae", "description": "The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.", "references": [], "tags": {"analytic_story": ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Spawning Rundll32", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "15d905f6-da6b-11eb-ab82-acde48001122", "description": "The following analytic detects the spawning of `rundll32.exe` without command-line arguments by `spoolsv.exe`, which is unusual and potentially indicative of exploitation attempts like CVE-2021-34527 (PrintNightmare). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `spoolsv.exe` is the parent process. This activity is significant as `spoolsv.exe` typically does not spawn other processes, and such behavior could indicate an active exploitation attempt. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised endpoint.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Loaded Modules", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5e451f8-da81-11eb-b245-acde48001122", "description": "The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Process Access", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "799b606e-da81-11eb-93f8-acde48001122", "description": "The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages the Endpoint datamodel, specifically monitoring process and filesystem events to identify `.dll` file creation within the `\\spool\\drivers\\x64\\` path. This activity is significant as it may signify an attacker attempting to execute malicious code via the Print Spooler service. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. Immediate endpoint isolation and further investigation are recommended.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "347fd388-da87-11eb-836d-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon Event ID 11 to monitor file creation events in the `\\spool\\drivers\\x64\\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sqlite Module In Temp Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0f216a38-f45f-11eb-b09c-acde48001122", "description": "The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $file_name$ in host $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "description": "The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sunburst Correlation DLL and Network Event", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "701a8740-e8db-40df-9190-5516d3819787", "description": "The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Computer Account Name Change", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "description": "The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "OldTargetUserName", "type": "User", "role": ["Victim"]}], "message": "A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\" | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Copy on System32", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "ce633e56-25b2-11ec-9e76-acde48001122", "description": "The following analytic detects suspicious file copy operations from the System32 or SysWow64 directories, often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by command-line tools like cmd.exe or PowerShell. This behavior is significant as it may indicate an attempt to execute malicious code using legitimate system tools (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise or further lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Execution of copy exe to copy file from $process$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "every user may do this event but very un-ussual.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Curl Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "description": "The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 5, "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "description": "The following analytic detects instances of DLLHost.exe executing without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because DLLHost.exe typically requires arguments to function correctly, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized actions like credential dumping or file manipulation, posing a severe threat to the environment.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Driver Loaded Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "description": "The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious driver $file_name$ on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Event Log Service Behavior", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "description": "The following analytic detects the shutdown of the Windows Event Log service using Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Windows Event Log Service shutdown on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "description": "The following analytic detects the execution of gpupdate.exe without any command line arguments. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute unauthorized commands or scripts, potentially leading to further system compromise or lateral movement within the network.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` command line used to execute a DLL file, a technique associated with IcedID malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing the pattern `*/i:*`. This activity is significant as it indicates potential malware attempting to load an encrypted DLL payload, often named `license.dat`. If confirmed malicious, this could allow attackers to execute arbitrary code, leading to further system compromise and potential data exfiltration.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Image Creation In Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "description": "The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Kerberos Service Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "description": "The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,\"@\"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Linux Discovery Commands", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "0edd5112-56c9-11ec-b990-acde48001122", "description": "The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Linux Discovery Commands detected on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler rename", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 6, "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "description": "The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler usage", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 3, "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "description": "The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious msbuild path", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f5198224-551c-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Rename", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 5, "id": "4006adac-5937-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Spawn", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 3, "id": "a115fba6-5514-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta child process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "60023bb6-5500-11eb-ae93-0242ac130002", "description": "The following analytic identifies child processes spawned from \"mshta.exe\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like \"powershell.exe\" and \"cmd.exe\". This activity is significant because \"mshta.exe\" is often exploited by attackers to execute malicious scripts or commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Monitoring this activity helps in early detection of potential threats leveraging \"mshta.exe\" for malicious purposes.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta spawn", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "description": "The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "description": "The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "description": "The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "description": "The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon Event ID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*api.telegram*\",\"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\",\"cscript.exe\") OR Image IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process Executed From Container File", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "description": "The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://attack.mitre.org/techniques/T1204/002/"], "tags": {"analytic_story": ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Various business process or userland applications and behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_executed_from_container_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "9be25988-ad82-11eb-a14f-acde48001122", "description": "The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process With Discord DNS Query", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "4d4332ae-792c-11ec-89c1-acde48001122", "description": "The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing \"discord\" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Reg exe Process", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 5, "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 4, "id": "62732736-6250-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 dllregisterserver", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "description": "The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 4, "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "description": "The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 PluginInit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "92d51712-ee29-11eb-b1ae-acde48001122", "description": "The following analytic identifies the execution of the rundll32.exe process with the \"plugininit\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the \"plugininit\" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party application may used this dll export name to execute function.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 StartW", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 4, "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "description": "The following analytic identifies the execution of rundll32.exe with the DLL function names \"Start\" and \"StartW,\" commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Scheduled Task from Public Directory", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "description": "The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\\public, \\programdata\\, or \\windows\\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "description": "The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Ticket Granting Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d77d349e-6269-11ec-9cfe-acde48001122", "description": "The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious TGT was requested was requested by $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` (EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\") OR (EventCode=4768 TargetUserName!=\"*$\") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious WAV file in Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "5be109e6-1ac5-11ec-b421-acde48001122", "description": "The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious wevtutil Usage", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 5, "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "description": "The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to windows Recycle Bin", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "description": "The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "PlugX"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious writes to windows Recycle Bin process $process_name$ on $dest$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "description": "The following analytic detects instances of 'svchost.exe' spawning Living Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection and Response (EDR) data to monitor child processes of 'svchost.exe' that match known LOLBAS executables. This activity is significant as adversaries often use LOLBAS techniques to execute malicious code stealthily, potentially indicating lateral movement or code execution attempts. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Info Gathering Using Dxdiag Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f92d74f2-4921-11ec-b685-acde48001122", "description": "The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "dxdiag.exe process with commandline $process$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Information Discovery Detection", "author": "Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 4, "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "description": "The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential system information discovery behavior on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators debugging servers", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Processes Run From Unexpected Locations", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-25", "version": 7, "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "description": "The following analytic identifies system processes running from unexpected locations outside `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"analytic_story": ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_windows_system_file_macro", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Query", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "description": "The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Whoami", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "description": "The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Time Provider Persistence Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 5, "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "description": "The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Trickbot Named Pipe", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "1804b0a4-a682-11eb-8f68-acde48001122", "description": "The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Possible Trickbot namedpipe created on $dest$ by $process_name$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "description": "The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass With Colorui COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "description": "The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uninstall App Using MsiExec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "description": "The following analytic detects the uninstallation of applications using msiexec with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it is an uncommon practice in enterprise environments and has been associated with malicious behavior, such as disabling antivirus software. If confirmed malicious, this could allow an attacker to remove security software, potentially leading to further compromise and persistence within the network.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unknown Process Using The Kerberos Protocol", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 3, "id": "c91a0852-9fbb-11ec-af44-acde48001122", "description": "The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Unknown process $process_name$ using the kerberos protocol detected on host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unload Sysmon Filter Driver", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 5, "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "description": "The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment.", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Sysmon filter driver unloading on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | table firstTime lastTime dest user count process_name process_id parent_process_name process | `unload_sysmon_filter_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown at the moment", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unloading AMSI via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "a21e3484-c94d-11eb-b55b-acde48001122", "description": "The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "description": "The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, \"A Kerberos service ticket was requested.\" It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "message": "", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "eb3e6702-8936-11ec-98fe-acde48001122", "description": "The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Endpoint", "role": ["Victim"]}], "message": "tbd", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName!=\"*$\" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "acb5dc74-5324-11ec-a36d-acde48001122", "description": "The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "target_hosts", "type": "Endpoint", "role": ["Victim"]}], "message": "Unusual number of remote authentication events from $Source_Network_Address$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "description": "The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Unusually long command line $process_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications start with long command lines.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "description": "The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "description": "The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System user discovery on endpoint $dest$ by user $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "USN Journal Deletion", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 3, "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "description": "The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.", "references": [], "tags": {"analytic_story": ["Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible USN journal deletion on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Vbscript Execution Using Wscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "35159940-228f-11ec-8a49-acde48001122", "description": "The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because wscript.exe is typically not used to execute VBScript, which is usually associated with cscript.exe. This deviation can indicate an attempt to evade traditional process monitoring and antivirus defenses. If confirmed malicious, this technique could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Verclsid CLSID Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "description": "The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "windows can used this application for its normal COM object validation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "W3WP Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "description": "The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is W3WP.exe. This activity is significant as it may indicate webshell activity, often associated with exploitation attempts like those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Web Shell execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WBAdmin Delete System Backups", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"analytic_story": ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System backups deletion on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wbemprox COM Object Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "9d911ce0-c3be-11eb-b177-acde48001122", "description": "The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious COM Object Execution on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "ed313326-a0f9-11eb-a89c-acde48001122", "description": "The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe process connecting IP location web services on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Create Executable File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "ab3bcce0-a105-11eb-973c-acde48001122", "description": "The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe writing executable files on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e8fc95bc-a107-11eb-a978-acde48001122", "description": "The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Qakbot", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe spawning suspicious processes on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wget Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "35682718-5a85-11ec-b8f7-acde48001122", "description": "The following analytic detects the use of wget on Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Abused Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "description": "The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "a network connection on known abused web services from $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\",\"\"*textbin*\"\", \"*ngrok.io*\", \"*discord*\", \"*duckdns.org*\", \"*pasteio.com*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_abused_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "6ece9ed0-5f92-4315-889d-48560472b188", "description": "The following analytic detects a process enabling the \"SeDebugPrivilege\" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "description": "The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "description": "The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for None Disable User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://powersploit.readthedocs.io/en/stable/Recon/README/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview", "https://atomicredteam.io/discovery/T1087.001/"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*NOT_ACCOUNTDISABLE*\" ScriptBlockText = \"*-UACFilter*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_none_disable_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for Sam Account Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for \"samaccountname\" and \"pwdlastset\" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for Sam Account Name on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText IN (\"*samaccountname*\", \"*pwdlastset*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_sam_account_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*-PreauthNotRequire*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_with_netuser_preauthnotrequire_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Abnormal Object Access Activity", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "description": "The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_abnormal_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "description": "The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Cross Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-11", "version": 2, "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "description": "The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AD Domain Controller Promotion", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "description": "The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "AD Domain Controller Promotion Event Detected for $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Domain Replication ACL Addition", "author": "Dean Luxton", "date": "2024-05-16", "version": 2, "id": "8c372853-f459-4995-afdc-280c114d33ab", "description": "The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Account Changes", "author": "Dean Luxton", "date": "2024-05-24", "version": 3, "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "description": "The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Disaster recovery events.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Password Reset", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "description": "The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Password was reset on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Account SID History Addition", "author": "Dean Luxton", "date": "2024-05-26", "version": 3, "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "description": "The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Object Access Activity", "author": "Steven Dick", "date": "2024-05-18", "version": 2, "id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "description": "The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object_name", "type": "Other", "role": ["Attacker"]}], "message": "The account $user$ accessed $object_count$ privileged AD object(s).", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated by User Account", "author": "Dean Luxton", "date": "2024-05-16", "version": 3, "id": "51307514-1236-49f6-8686-d46d93cc2821", "description": "The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "author": "Dean Luxton", "date": "2024-05-20", "version": 4, "id": "50998483-bb15-457b-a870-965080d9e3d3", "description": "The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Same Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-22", "version": 3, "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute can be abused by adversaries to grant unauthorized access by inheriting permissions from another account. If confirmed malicious, this could allow attackers to maintain persistent access or escalate privileges within the domain, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "description": "The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $ObjectDN$ was set by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "description": "The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $user$ was set and shortly deleted", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "author": "Dean Luxton", "date": "2024-05-11", "version": 4, "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "description": "The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Short Lived Server Object", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "description": "The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Potential DCShadow Attack Detected on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD SID History Attribute Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "1155e47d-307f-4247-beab-71071e3a458c", "description": "The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AdFind Exe", "author": "Jose Hernandez, Bhavin Patel, Splunk", "date": "2024-05-13", "version": 4, "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "description": "The following analytic identifies the execution of `adfind.exe` with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows AdFind Exe", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admin Permission Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e08620cb-9488-4052-832d-97bcc0afd414", "description": "The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file was created in root drive C:/ on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\", \"*.dll\", \"*.sys\", \"*.com\", \"*.vbs\", \"*.vbe\", \"*.js\", \"*.bat\", \"*.cmd\", \"*.pif\", \"*.lnk\", \"*.dat\") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"C:\") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_admin_permission_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "description": "The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "83458004-db60-4170-857d-8572f16f070b", "description": "The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the \"Default Domain Policy\" and \"Default Domain Controllers Policy.\" This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A default domain group policy was updated on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Group Policy Object Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "69201633-30d9-48ef-b1b6-e680805f0582", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default \"New Group Policy Object\" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A new group policy objected was created on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Base64 Content", "author": "Steven Dick, Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "683f48de-982f-4a7e-9aac-9cec550da498", "description": "The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon Event ID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.", "references": ["https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://blog.netwrix.com/2022/12/16/alternate_data_stream/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-stream-creation-hash.md"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 NOT Contents IN (\"-\",\"[ZoneTransfer]*\") | regex TargetFilename=\"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "arguments": ["b64in"]}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_alternate_datastream___base64_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Executable Content", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "a258bf2a-34fd-4986-8086-78f506e00206", "description": "The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.", "references": ["https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "file_hash", "type": "File Hash", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 | regex TargetFilename=\"(? upperBound, \"Yes\", \"No\") | where anomaly=\"Yes\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP.", "known_false_positives": "False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_applocker_execution_from_uncommon_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 2, "id": "bca48629-7fa2-40d3-9e5d-807564504e28", "description": "The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to bypass application restrictions was detected on a host $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk.", "known_false_positives": "False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes.", "filename": "applockereventcodes.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "description": "The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An application launch that deviates from the norm was detected on a host $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there.", "known_false_positives": "False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_rare_application_launch_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "description": "The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Archive Collected Data via Powershell on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Compress-Archive*\" ScriptBlockText = \"*\\\\Temp\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to archive data.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_archive_collected_data_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Rar", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "2015de95-fe91-413d-9d62-2fe011b67e82", "description": "The following analytic identifies the execution of RAR utilities to archive files on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line arguments. This activity is significant as threat actors, including red-teamers and malware like DarkGate, use RAR archiving to compress and exfiltrate collected data from compromised hosts. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive information to command and control servers, posing a severe risk to data confidentiality and integrity.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a Rar.exe commandline used in archiving collected data in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"Rar.exe\" OR Processes.original_file_name = \"Rar.exe\" AND Processes.process = \"*a*\" Processes.process = \"* -ep1*\" Processes.process = \"* -r*\" Processes.process = \"* -y*\" Processes.process = \"* -v5m*\" Processes.process = \"* -m1*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_archive_collected_data_via_rar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AutoIt3 Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "description": "The following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows GUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for process names or original file names matching 'autoit3.exe'. This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this activity could lead to unauthorized code execution, system compromise, or further propagation of malware within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Other"]}], "message": "Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autoit3_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "description": "The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "description": "The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "99d157cb-923f-4a00-aee9-1f385412146f", "description": "The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process dropped a file in %startup% folder in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows BootLoader Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "description": "The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of BootLoaders are present on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "description": "The following analytic detects the execution of the deprecated 'pkgmgr.exe' process with an XML input file, which is unusual and potentially suspicious. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution details and command-line arguments. The significance lies in the deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity could allow an attacker to execute commands with elevated privileges, leading to potential system compromise and unauthorized changes.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A pkgmgr.exe executed with package manager xml input file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = \"*.xml*\" NOT(Processes.parent_process_path IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"*:\\\\Program Files*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_bypass_uac_via_pkgmgr_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows CAB File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "622f08d0-69ef-42c2-8139-66088bc25acd", "description": "The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A .cab file was written to disk on endpoint $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cab_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Cached Domain Credentials Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "description": "The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Change Default File Association For No File Ext", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "description": "The following analytic detects attempts to change the default file association for files without an extension to open with Notepad.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and registry modifications. This activity is significant as it can indicate an attempt to manipulate file handling behavior, a technique observed in APT and ransomware attacks like Prestige. If confirmed malicious, this could allow attackers to execute arbitrary code by tricking users into opening files, potentially leading to system compromise or data exfiltration.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "ab73289e-2246-4de0-a14b-67006c72a893", "description": "The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "description": "The following analytic detects the modification of the InProcServer32 registry key by reg.exe, indicative of potential COM hijacking. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. COM hijacking is significant as it allows adversaries to insert malicious code that executes in place of legitimate software, providing a means for persistence. If confirmed malicious, this activity could enable attackers to execute arbitrary code, disrupt legitimate system components, and maintain long-term access to the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and some filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "description": "The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of \"/..\", \"\\..\", or \"\\\\..\". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "description": "The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Not known at this moment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "description": "The following analytic detects the execution of a DCRat \"forkbomb\" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell Fetch Env Variables", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "description": "The following analytic identifies a suspicious process command line fetching environment variables with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity is significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "description": "The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.", "references": ["https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", "https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "series of process commandline being abused by threat actor have been identified on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*Cmdline Tool Not Executed In CMD Shell*\", \"*Windows System Network Config Discovery Display DNS*\", \"*Local Account Discovery With Wmic*\", \"*Net Localgroup Discovery*\", \"*Create local admin accounts using net exe*\", \"*Local Account Discovery with Net*\", \"*Icacls Deny Command*\", \"*ICACLS Grant Command*\", \"*Windows Proxy Via Netsh*\", \"*Processes launching netsh*\", \"*Disabling Firewall with Netsh*\", \"*Windows System Network Connections Discovery Netsh*\", \"*Network Connection Discovery With Arp*\", \"*Windows System Discovery Using ldap Nslookup*\", \"*Windows System Shutdown CommandLine*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_common_abused_cmd_shell_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Created by Computer Account", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "description": "The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) \"RestrictedKrbHost\". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack).", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!=\"NT AUTHORITY\" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "description": "The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account With SPN", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "description": "The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 NewUacValue=\"0x80\" ServicePrincipalNames IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ConHost with Headless Argument", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "description": "The following analytic detects the unusual invocation of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring for command-line executions where conhost.exe is executed with the --headless argument. This activity is significant for a SOC as it is not commonly used in legitimate operations and may indicate an attacker's attempt to execute commands stealthily. If confirmed malicious, this behavior could lead to persistence, lateral movement, or other malicious activities, potentially resulting in data exfiltration or system compromise.", "references": ["https://x.com/embee_research/status/1559410767564181504?s=20", "https://x.com/GroupIB_TI/status/1719675754886131959?s=20"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows ConHost with Headless Argument detected on $dest$ by $user$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process=\"*--headless *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_conhost_with_headless_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Create Local Account", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "description": "The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following $user$ was added to $dest$ as a local account.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credential Access From Browser Password Store", "author": "Teoderick Contreras, Bhavin Patel Splunk", "date": "2024-05-29", "version": 2, "id": "72013a8e-5cea-408a-9d51-5585386b4d69", "description": "The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-common browser process $process_name$ accessing browser user data folder on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name \"(?[^\\\\\\\\]+)$\" | eval isMalicious=if(match(browser_process_name, extracted_process_name), \"0\", \"1\") | where isMalicious=1 and isAllowed=\"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\" This search may trigger on a browser application that is not included in the browser_app_list lookup file.", "known_false_positives": "The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credential_access_from_browser_password_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction.", "filename": "browser_app_list.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "description": "The following analytic detects the use of CreateDump.exe to perform a process dump. This binary is not native to Windows and is often introduced by third-party applications, including PowerShell 7. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete command-line executions. This activity is significant as it may indicate an attempt to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, this could lead to unauthorized access and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "description": "The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "description": "The following analytic detects non-Chrome processes accessing the Chrome \"Local State\" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "description": "The following analytic identifies non-Chrome processes accessing the Chrome user data file \"login data.\" This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is used to create stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because cmdkey.exe is often abused by post-exploitation tools and malware, such as Darkgate, to gain unauthorized access. If confirmed malicious, this behavior could allow attackers to escalate privileges and maintain persistence on the targeted host, facilitating further attacks and potential data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to create stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/generic*\" Processes.process IN (\"*/user*\", \"*/password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to delete stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/delete*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is often abused by post-exploitation tools like winpeas, commonly used in ransomware attacks to list stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it indicates potential credential harvesting, which can lead to privilege escalation and persistence. If confirmed malicious, attackers could gain unauthorized access to sensitive information and maintain control over compromised systems for further exploitation.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials in Registry Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "description": "The following analytic identifies processes querying the registry for potential passwords or credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that access specific registry paths known to store sensitive information. This activity is significant as it may indicate credential theft attempts, often used by adversaries or post-exploitation tools like winPEAS. If confirmed malicious, this behavior could lead to privilege escalation, persistence, or lateral movement within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "reg query commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Download to Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "c32f091e-30db-11ec-8738-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to download a file to a suspicious location, such as AppData, ProgramData, or Public directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include the -O or --output options. This activity is significant because downloading files to these locations can indicate an attempt to bypass security controls or establish persistence. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further compromise of the system.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"analytic_story": ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Upload to Remote Destination", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "42f8f1a2-4228-11ec-aade-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-24", "version": 3, "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "description": "The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"analytic_story": ["Data Destruction", "Swift Slicer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Debugger Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "e14d94a3-07fb-4b47-8406-f5e37180d422", "description": "This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a debugger $process_name$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"x32dbg.exe\" OR Processes.process_name = \"x64dbg.exe\" OR Processes.process_name = \"windbg.exe\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or IT professional may execute this application for verifying files or debugging application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_debugger_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "description": "The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defender ASR Audit Events", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "description": "This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR audit event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_audit_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Block Events", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "026f5f4e-e99f-4155-9e63-911ba587300b", "description": "This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR block event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_block_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "description": "The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR registry modification event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rule Disabled", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR rule disabled event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | search New_Registry_Value=\"Disabled\" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rule_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rules Stacking", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "description": "The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An ASR rule, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired.", "known_false_positives": "False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rules_stacking_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender Exclusion Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 4, "id": "13395a44-4dd9-11ec-9df7-acde48001122", "description": "The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Delete or Modify System Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "description": "The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ deleted a firewall configuration on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* firewall *\" Processes.process = \"* delete *\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may modify or delete firewall configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_delete_or_modify_system_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "description": "The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Change Password Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "datamodel": ["Endpoint", "Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 4, "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable LogOff Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"NoLogOff\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Memory Crash Dump", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "59e54602-9680-11ec-a8a6-acde48001122", "description": "The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process was identified attempting to disable memory crash dumps on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Notification Center", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows notification center was disabled on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "description": "The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "A taskkill process to terminate process is executed on host- $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" Processes.process IN (\"* /f*\", \"* /t*\") Processes.process IN (\"* /im*\", \"* /pid*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Network administrator can use this application to kill process during audit or investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_or_modify_tools_via_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Shutdown Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "description": "The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "description": "The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "63a449ae-9f04-11ec-945e-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to disable windows group policy features on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DisableAntiSpyware Registry", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "23150a40-9301-4195-b802-5bb4f43067fb", "description": "The following analytic detects the modification of the Windows Registry key \"DisableAntiSpyware\" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"DisableAntiSpyware\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"analytic_story": ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DiskCryptor Usage", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "description": "The following analytic detects the execution of DiskCryptor, identified by the process names \"dcrypt.exe\" or \"dcinst.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Diskshadow Proxy Execution", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "description": "The following analytic detects the use of DiskShadow.exe in scripting mode, which can execute arbitrary unsigned code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions with scripting mode flags. This activity is significant because DiskShadow.exe is typically used for legitimate backup operations, but its misuse can indicate an attempt to execute unauthorized code. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Signed Binary Proxy Execution on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DISM Remove Defender", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "8567da9e-47f0-11ec-99a9-acde48001122", "description": "The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "description": "The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "description": "The following analytic detects DLL search order hijacking involving iscsicpl.exe. It identifies when iscsicpl.exe loads a malicious DLL from a new path, triggering the payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on child processes spawned by iscsicpl.exe. This activity is significant as it indicates a potential attempt to execute unauthorized code via DLL hijacking. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading In Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "af01f6db-26ac-440e-8d89-2793e303f137", "description": "The following analytic detects suspicious DLL modules loaded by calc.exe that are not located in the %systemroot%\\system32 or %systemroot%\\sysWoW64 directories. This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique often used by Qakbot malware to execute malicious DLLs. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "description": "The following analytic identifies suspicious child processes spawned by calc.exe, indicative of DLL side-loading techniques. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. This activity is significant as it is commonly associated with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "calc.exe has a child process $process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DNS Gather Network Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "description": "The following analytic detects the use of the dnscmd.exe command to enumerate DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This activity is significant as it may indicate an adversary gathering network information, a common precursor to more targeted attacks. If confirmed malicious, this behavior could enable attackers to map the network, identify critical assets, and plan subsequent actions, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process commandline $process$ to enumerate dns record in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DnsAdmins New Member Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "description": "The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A new member $user$ added to the DnsAdmins group by $src_user$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as \"samaccountname,\" \"accountexpires,\" \"lastlogon,\" and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Domain Account Discovery Via Get-NetComputer in $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetComputer*\" ScriptBlockText IN (\"*samaccountname*\", \"*accountexpires*\", \"*lastlogon*\", \"*lastlogoff*\", \"*pwdlastset*\", \"*logoncount*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_domain_account_discovery_via_get_netcomputer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Admin Impersonation Indicator", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "description": "The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.", "references": ["https://trustedsec.com/blog/a-diamond-in-the-ruff", "https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks", "https://github.com/GhostPack/Rubeus/pull/136", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetUserName", "type": "User", "role": ["Victim"]}], "message": "$TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN (\"*$\", \"SYSTEM\", \"DWM-*\",\"LOCAL SERVICE\",\"NETWORK SERVICE\", \"ANONYMOUS LOGON\", \"UMFD-*\") | where match(GroupMembership, \"Domain Admins\") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = \"NotDA\" | `windows_domain_admin_impersonation_indicator_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table.", "known_false_positives": "False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_domain_admin_impersonation_indicator_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "domain_admins", "description": "List of domain admins", "filename": "domain_admins.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Windows DotNet Binary in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "fddf3b56-7933-11ec-98a6-acde48001122", "description": "The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system. It leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup using the `is_net_windows_file_macro` macro. This activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "is_net_windows_file_macro", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "description": "The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Drivers have been identified on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Load Non-Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "9216ef3d-066a-4958-8f27-c84589465e62", "description": "The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Drivers Loaded by Signature", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "description": "The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A driver has loaded on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "description": "The following analytic detects the creation of a new DWORD value named \"EnableAt\" in the registry path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event For Service Disabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 4, "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "description": "The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["RedLine Stealer", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Service $ServiceName$ was disabled on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_system` EventCode=7040 EventData_Xml=\"*disabled*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event Log Cleared", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-12", "version": 8, "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "description": "The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "description": "The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Excessive Disabled Services Event", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "c3f85976-94a5-11ec-9a58-acde48001122", "description": "The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7040 \"disabled\" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest | where count >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Executable in Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "3e27af56-fcf0-4113-988d-24969b062be7", "description": "The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An executable $ImageLoaded$ loaded by $Image$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_executable_in_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "description": "The following analytic detects arbitrary command execution using Windows msdt.exe, a Diagnostics Troubleshooting Wizard. It leverages Endpoint Detection and Response (EDR) data to identify instances where msdt.exe is invoked via the ms-msdt:/ protocol handler to retrieve a remote payload. This activity is significant as it can indicate an exploitation attempt leveraging msdt.exe to execute arbitrary commands, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe security risk.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "description": "The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "description": "The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "description": "The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Share Discovery With Powerview", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "description": "The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "description": "The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Without Extension In Critical Folder", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "0dbcac64-963c-11ec-bf04-acde48001122", "description": "The following analytic detects the creation of files without extensions in critical folders like \"System32\\Drivers.\" It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "c76b796c-27e1-4520-91c4-4a58695c749e", "description": "The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\") AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "description": "The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_domain_organizational_units_with_getdomainou_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "description": "The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Findstr GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "description": "The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Findstr was executed to discover GPP credentials on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Forest Discovery with GetForestDomain", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "description": "The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_forest_discovery_with_getforestdomain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Host Information Camera", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "description": "The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Powershell script to enumerate camera detected on host - $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera on $dest$.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Identity SAM Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "description": "The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "description": "The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like \"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process connecting IP location web services on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.*\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\", \"*geoip.*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "c8640777-469f-4638-ab44-c34a3233ffac", "description": "The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADComputer*\" AND ScriptBlockText = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "d2988160-3ce9-4310-b59d-905334920cdd", "description": "The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_local_admin_with_findlocaladminaccess_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Group Policy Object Created", "author": "Mauricio Velazco", "date": "2024-05-17", "version": 2, "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "message": "A new group policy objected was created by $User$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hidden Schedule Task Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "description": "The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task with hidden setting enable in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hide Notification Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to hide windows notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows High File Deletion Frequency", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-18", "version": 3, "id": "45b125c4-866f-11eb-a95a-acde48001122", "description": "The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Elevated file deletion rate observed from process [$process_name$] on machine $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") NOT TargetFilename IN (\"*\\\\INetCache\\\\Content.Outlook\\\\*\") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "description": "The following analytic detects a process loading a version.dll file from a directory other than %windir%\\system32 or %windir%\\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hunting System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "description": "The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Identify Protocol Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "description": "The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows IIS Components Add New Module", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "description": "The following analytic detects the execution of AppCmd.exe to install a new module in IIS. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it to install webshells or backdoors, leading to credit card scraping, persistence, and further post-exploitation. If confirmed malicious, this could allow attackers to maintain persistent access, execute arbitrary code, and potentially exfiltrate sensitive information from the compromised web server.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 2, "id": "20db5f70-34b4-4e83-8926-fa26119de173", "description": "The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "IIS Modules have been listed on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Module Failed to Load", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "description": "The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components New Module Added", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "description": "The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "description": "The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" commands with the \"-XMLPolicy\" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker importing xml policy command was executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5211c260-820e-4366-b983-84bbfb5c263a", "description": "The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the \"ServiceKeepAlive\" registry path with a value of \"0x00000001\". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "change in the health check interval of Windows Defender on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\ServiceKeepAlive\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_health_check_intervals_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "description": "The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"QuickScanInterval\" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender QuickScanInterval feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Scan\\\\QuickScanInterval\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "description": "The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\ThrottleDetectionEventsRate\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_throttle_rate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "description": "The following analytic detects modifications to the Windows registry specifically targeting the \"WppTracingLevel\" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender WppTracingLevel registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\WppTracingLevel\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_tracing_level_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Configure App Install Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender App Install Control registry set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControl\" Registry.registry_value_data= \"Anywhere\") OR (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControlEnabled\" Registry.registry_value_data= \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_configure_app_install_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7215831c-8252-4ae3-8d43-db588e82f952", "description": "The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender threat action through registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Threats\\\\ThreatSeverityDefaultAction*\" Registry.registry_value_data IN (\"0x00000001\", \"9\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_define_win_defender_threat_action_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "description": "The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender context menu registry key deleted on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "description": "The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "description": "The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a \"Deny\" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "3032741c-d6fc-4c69-8988-be8043d6478c", "description": "The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ControlledFolderAccess feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_controlled_folder_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "description": "The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender firewall and network protection section feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender Security Center\\\\Firewall and network protection\\\\UILockdown\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_firewall_and_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableProtocolRecognition\" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Protocol Recognition set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\DisableProtocolRecognition\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_protocol_recognition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable PUA Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "description": "The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender PUA protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\PUAProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_pua_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "ffd99aea-542f-448e-b737-091c1b417274", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File realtime signature delivery set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\RealtimeSignatureDelivery\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_realtime_signature_delivery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "description": "The following analytic detects modifications to the Windows registry entry \"EnableWebContentEvaluation\" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to \"0x00000000\". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender web content evaluation feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\EnableWebContentEvaluation\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_web_evaluation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender AuditApplicationGuard feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\AppHVSI\\\\AuditApplicationGuard\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_app_guard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File hashes computation set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\MpEngine\\\\EnableFileHashComputation\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "description": "The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"DisableGenericRePorts\" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableGenericRePorts registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\DisableGenericRePorts\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_gen_reports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "8b6c15c7-5556-463d-83c7-986326c21f12", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Exploit Guard network protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Network Protection\\\\EnableNetworkProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_network_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"DontReportInfectionInformation\" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DontReportInfectionInformation registry is enabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\MRT\\\\DontReportInfectionInformation\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_report_infection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0418e72f-e710-4867-b656-0688e1523e09", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the \"DisableScanOnUpdate\" registry setting with a value of \"0x00000001\". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableScanOnUpdate feature set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\DisableScanOnUpdate\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_scan_on_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7567a72f-bada-489d-aef1-59743fb64a66", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableSignatureRetirement registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\DisableSignatureRetirement\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_signature_retirement_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Phishing Filter registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = \"*\\\\MicrosoftEdge\\\\PhishingFilter\" Registry.registry_value_name IN (\"EnabledV9\", \"PreventOverride\") Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_overide_win_defender_phishing_filter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "08058866-7987-486f-b042-275715ef6e9d", "description": "The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"PreventSmartScreenPromptOverride\" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen prompt was override on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Microsoft\\\\Edge\\\\PreventSmartScreenPromptOverride\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_override_smartscreen_prompt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "description": "The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to \"warn.\" This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to \"warn\" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen Level to Warn on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\System\\\\ShellSmartScreenLevel\" Registry.registry_value_data=\"Warn\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable HVCI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "description": "The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "HVCI has been disabled on $dest$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "description": "The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indicator Removal Via Rmdir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "c4566d2c-b094-48a1-9c59-d66e22065560", "description": "The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process execute rmdir command to delete files and directory tree in $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*rmdir*\" Processes.process = \"* /s *\" Processes.process = \"* /q *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indicator_removal_via_rmdir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via forfiles", "author": "Eric McGinnis, Splunk", "date": "2024-05-28", "version": 2, "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "description": "The following analytic detects the execution of programs initiated by forfiles.exe. This command is typically used to run commands on multiple files, often within batch scripts. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where forfiles.exe is the parent process. This activity is significant because forfiles.exe can be exploited to bypass command line execution protections, making it a potential vector for malicious activity. If confirmed malicious, this could allow attackers to execute arbitrary commands, potentially leading to unauthorized access or further system compromise.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"analytic_story": ["Living Off The Land", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The forfiles command (forfiles.exe) launched the process name - $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via pcalua", "author": "Eric McGinnis, Splunk", "date": "2024-05-10", "version": 2, "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "description": "The following analytic detects programs initiated by pcalua.exe, the Microsoft Windows Program Compatibility Assistant. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process information. While pcalua.exe can start legitimate programs, it is significant because attackers may use it to bypass command line execution protections. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, potentially leading to unauthorized actions, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "description": "The following analytic detects excessive usage of the forfiles.exe process, which is often indicative of post-exploitation activities. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and parent process. This activity is significant because forfiles.exe can be abused to execute commands on multiple files, a technique used by ransomware like Prestige. If confirmed malicious, this behavior could allow attackers to enumerate files, potentially leading to data exfiltration or further malicious actions.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "excessive forfiles process execution in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Information Discovery Fsutil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2181f261-93e6-4166-a5a9-47deac58feff", "description": "The following analytic identifies the execution of the Windows built-in tool FSUTIL with the FSINFO parameter to discover file system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. Monitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation. If confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "description": "The following analytic identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because adversaries, such as those using DCRat malware, may abuse explorer.exe to open URLs with the default browser, which is an uncommon and suspicious behavior. If confirmed malicious, this technique could allow attackers to download and execute malicious payloads, leading to potential system compromise and further malicious activities.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InProcServer32 New Outlook Form", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "description": "The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" Registry.registry_value_data=*\\\\FORMS\\\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_inprocserver32_new_outlook_form_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Input Capture Using Credential UI Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "description": "The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Credential Theft", "author": "Michael Haag, Mauricio Velazo, Splunk", "date": "2024-05-18", "version": 5, "id": "ccfeddec-43ec-11ec-b494-acde48001122", "description": "The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "dcf74b22-7933-11ec-857c-acde48001122", "description": "The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Remote Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "4fbf9270-43da-11ec-9486-acde48001122", "description": "The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "description": "The following analytic detects the use of the Windows InstallUtil.exe binary with the `/u` (uninstall) switch, which can execute code while bypassing application control. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it can indicate an attempt to execute malicious code without administrative privileges. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise or persistence within the environment.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") NOT (Processes.process IN (\"*C:\\\\WINDOWS\\\\CCM\\\\*\")) NOT (Processes.parent_process_name IN (\"Microsoft.SharePoint.Migration.ClientInstaller.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "1a52c836-43ef-11ec-a36c-acde48001122", "description": "The following analytic identifies the use of Windows InstallUtil.exe making a remote network connection using the `/u` (uninstall) switch. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and network activity data. This behavior is significant as it may indicate an attempt to download and execute code while bypassing application control mechanisms. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "28e06670-43df-11ec-a569-acde48001122", "description": "The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ISO LNK File Creation", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "description": "The following analytic detects the creation of .iso.lnk files in the %USER%\\AppData\\Local\\Temp\\\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Java Spawning Shells", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "28c81306-5c47-11ec-bfea-acde48001122", "description": "The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, attackers could execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Kerberos Local Successful Logon", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "8309c3a8-4d34-48ae-ad66-631658214653", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Known Abused DLL Created", "author": "Steven Dick", "date": "2024-05-17", "version": 2, "id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "description": "The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1574/002/", "https://hijacklibs.net/api/", "https://wietze.github.io/blog/hijacking-dlls-in-windows", "https://github.com/olafhartong/sysmon-modular/pull/195/files"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$].", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!=\"unknown\" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\users\\\\*\",\"*\\\\Windows\\Temp\\\\*\",\"*\\\\programdata\\\\*\") Filesystem.file_name=\"*.dll\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_known_abused_dll_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs_loaded.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "bf471c94-0324-4b19-a113-d02749b969bc", "description": "The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Known GraphicalProton backdoor Loaded Modules on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\AclNumsInvertHost.dll\", \"*\\\\ModeBitmapNumericAnimate.dll\", \"*\\\\UnregisterAncestorAppendAuto.dll\", \"*\\\\DeregisterSeekUsers.dll\", \"*\\\\ScrollbarHandleGet.dll\", \"*\\\\PerformanceCaptionApi.dll\", \"*\\\\WowIcmpRemoveReg.dll\", \"*\\\\BlendMonitorStringBuild.dll\", \"*\\\\HandleFrequencyAll.dll\", \"*\\\\HardSwapColor.dll\", \"*\\\\LengthInMemoryActivate.dll\", \"*\\\\ParametersNamesPopup.dll\", \"*\\\\ModeFolderSignMove.dll\", \"*\\\\ChildPaletteConnected.dll\", \"*\\\\AddressResourcesSpec.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_known_graphicalproton_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows KrbRelayUp Service Creation", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "e40ef542-8241-4419-9af4-6324582ea60a", "description": "The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was created on $dest$, related to KrbRelayUp.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "description": "The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Lateral Tool Transfer RemCom", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "description": "The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ldifde Directory Object Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "description": "The following analytic identifies the use of Ldifde.exe, a command-line utility for creating, modifying, or deleting LDAP directory objects. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution and command-line arguments. Monitoring Ldifde.exe is significant because it can be used by attackers to manipulate directory objects, potentially leading to unauthorized changes or data exfiltration. If confirmed malicious, this activity could allow an attacker to gain control over directory services, escalate privileges, or access sensitive information within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Linked Policies In ADSI Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "510ea428-4731-4d2f-8829-a28293e427aa", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Local Administrator Credential Stuffing", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "description": "The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "48cc1605-538c-4223-8382-e36bee5b540d", "description": "The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\NoLMHash\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lsa_secrets_nolmhash_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "description": "The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mark Of The Web Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "description": "The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1553/005/", "https://github.com/nmantani/PS-MOTW#remove-motwps1"], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A mark-of-the-web data stream is deleted on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=23 TargetFilename = \"*:Zone.Identifier\" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mark_of_the_web_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Explorer As Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "61490da9-52a1-4855-a0c5-28233c88c481", "description": "The following analytic identifies instances where explorer.exe is spawned by unusual parent processes such as cmd.exe, powershell.exe, or regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because explorer.exe is typically initiated by userinit.exe, and deviations from this norm can indicate code injection or process masquerading attempts by malware like Qakbot. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" AND Processes.process IN (\"*\\\\explorer.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Msdtc Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "238f3a07-8440-480b-b26f-462f41d9a47c", "description": "The following analytic identifies the execution of msdtc.exe with specific command-line parameters (-a or -b), which are indicative of the PlugX malware. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because PlugX uses these parameters to masquerade its malicious operations within legitimate processes, making it harder to detect. If confirmed malicious, this behavior could allow attackers to gain unauthorized access, exfiltrate data, and conduct espionage, severely compromising the affected system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"], "tags": {"analytic_story": ["PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "msdtc.exe process with process commandline used by PlugX malware in $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"msdtc.exe\" Processes.process = \"*msdtc.exe*\" Processes.process IN (\"* -a*\", \"* -b*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_msdtc_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "description": "The following analytic identifies the execution of the native mimikatz.exe binary on Windows systems, including instances where the binary is renamed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because Mimikatz is a widely used tool for extracting authentication credentials, posing a severe security risk. If confirmed malicious, this activity could allow attackers to obtain sensitive credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and system compromise.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "description": "The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"analytic_story": ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "description": "The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for authentication level settings was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Server Client\\\\AuthenticationLevelOverride\" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint", "Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_authenticationleveloverride_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Minor Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "description": "The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Update Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "description": "The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update notification on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Default Icon Setting", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "description": "The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "description": "The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows Modify Registry Disable Restricted Admin on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_restricted_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "description": "The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to disable Windows Defender notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "description": "The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "description": "The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disableremotedesktopantialias_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "989019b4-b7aa-418a-9a17-2293e91288b6", "description": "The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for terminal services settings was modified to disable security settings on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableSecuritySettings\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disablesecuritysettings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disabling WER Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "description": "The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisAllow Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "description": "The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DontShowUI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "description": "The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disable show UI on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_dontshowui_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "93048164-3358-4af0-8680-aa5f38440516", "description": "The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows EnableLinkedConnections configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_enablelinkedconnections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry LongPathsEnabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "36f9626c-4272-4808-aadd-267acce681c0", "description": "The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows LongPathEnable configuration on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_longpathsenabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "description": "The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in max connection per server configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_maxconnectionperserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "description": "The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "description": "The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to disable changing of wallpaper on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\\NoChangingWallPaper\" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_nochangingwallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyEnable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "description": "The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to enable proxy on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyEnable\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyenable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "description": "The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to setup proxy server on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyServer\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-12", "version": 3, "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "description": "The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry with binary data created by $process_name$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Reg Restore", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "description": "The following analytic detects the execution of reg.exe with the \"restore\" parameter, indicating an attempt to restore registry backup data on a host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate post-exploitation actions, such as those performed by tools like winpeas, which use \"reg save\" and \"reg restore\" to manipulate registry settings. If confirmed malicious, this could allow an attacker to revert registry changes, potentially bypassing security controls and maintaining persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "824dd598-71be-4203-bc3b-024f4cda340e", "description": "The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5eb479b1-a5ea-4e01-8365-780078613776", "description": "The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.", "references": ["https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html", "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", "https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Modify Registry behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*registry*\") All_Risk.annotations.mitre_attack.mitre_technique_id IN (\"*T1112*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "description": "The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Tamper Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "description": "The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to tamper Windows Defender protection on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry USeWuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "description": "The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A md5 registry value name $registry_value_name$ is created on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\*\" Registry.registry_value_data = \"Binary Data\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, \"\\\\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,\"^[0-9a-fA-F]{32}$\"),\"md5\",\"nonmd5\") | where validation_result = \"md5\" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_with_md5_reg_key_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry WuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "description": "The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry wuStatusServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "description": "The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 4, "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "description": "The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "author": "Teoderick Contreras, Will Metcalf, Splunk", "date": "2024-05-10", "version": 2, "id": "cd6d7410-9146-4471-a418-49edba6dadc4", "description": "The following analytic detects suspicious modifications to system firewall rules, specifically allowing execution of applications from notable and potentially malicious file paths. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving firewall rule changes. This activity is significant as it may indicate an adversary attempting to bypass firewall restrictions to execute malicious files. If confirmed malicious, this could allow attackers to execute unauthorized code, potentially leading to further system compromise, data exfiltration, or persistence within the environment.", "references": ["https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" Processes.process IN (\"*\\\\windows\\\\fonts\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\windows\\\\debug\\\\*\", \"*\\\\Users\\\\Administrator\\\\Music\\\\*\", \"*\\\\Windows\\\\servicing\\\\*\", \"*\\\\Users\\\\Default\\\\*\",\"*Recycle.bin*\", \"*\\\\Windows\\\\Media\\\\*\", \"\\\\Windows\\\\repair\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\PerfLogs\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_system_firewall_with_notable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "description": "The following analytic detects the execution of MOFComp.exe loading a MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like User Profile directories. It leverages Endpoint Detection and Response (EDR) data, focusing on process names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker using WMI for persistence or lateral movement. If confirmed malicious, it could allow the attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOVEit Transfer Writing ASPX", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "description": "The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "396de86f-25e7-4b0e-be09-a330be35249d", "description": "The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mshta Execution In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "description": "The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing \"mshta,\" \"javascript,\" \"vbscript,\" or \"WScript.Shell.\" This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSHTA Writing to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "description": "The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\\Windows\\Tasks` and `C:\\Windows\\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ writing to $TargetFilename$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*\\\\mshta.exe\" TargetFilename IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\\Windows\\Tasks`, `C:\\Windows\\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed.", "known_false_positives": "False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mshta_writing_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-06", "version": 2, "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "description": "The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "description": "The following analytic detects the execution of the msiexec.exe process with the /HideWindow and rundll32 command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because it is a known tactic used by malware like QakBot to mask malicious operations under legitimate system processes. If confirmed malicious, this behavior could allow an attacker to download additional payloads, execute malicious code, or establish communication with remote servers, thereby evading detection and maintaining persistence.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a msiexec parent process with /hidewindow rundll32 process commandline in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = \"* /HideWindow *\" Processes.process = \"* rundll32*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other possible 3rd party msi software installers use this technique as part of its installation process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_hidewindow_rundll32_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Remote Download", "author": "Michael Haag, Splunk", "date": "2024-05-08", "version": 2, "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "description": "The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn Discovery Command", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "description": "The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn WinDBG", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "description": "The following analytic identifies the unusual behavior of MSIExec spawning WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. This behavior is significant as it may indicate an attempt to debug or tamper with system processes, which is uncommon in typical user activity and could signify malicious intent. If confirmed malicious, this activity could allow an attacker to manipulate or inspect running processes, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_windbg_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "description": "The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec With Network Connections", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "description": "The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering is required.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "description": "The following analytic identifies DNS queries to known TOR proxy websites, such as \"*.torproject.org\" and \"www.theonionrouter.com\". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Account Passwords Changed", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "description": "The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ changed the passwords of multiple accounts in a short period of time.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_account_passwords_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Accounts Deleted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "description": "The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ deleted multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_accounts_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Accounts Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "5d93894e-befa-4429-abde-7fc541020b7b", "description": "The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ disabled multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_accounts_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "001266a6-9d5b-11eb-829b-acde48001122", "description": "The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "57ad5a64-9df7-11eb-a290-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "e61918fa-9ca4-11eb-836c-acde48001122", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "7ed272a4-9c77-11eb-af22-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "9015385a-9c84-11eb-bef2-acde48001122", "description": "The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "3a91a212-98a9-11eb-b86a-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows New InProcServer32 Added", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "description": "The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ .", "risk_score": 2, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_new_inprocserver32_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "description": "The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft AdvancedRun", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "description": "The following analytic detects the execution of AdvancedRun.exe, a tool with capabilities similar to remote administration programs like PsExec. It identifies the process by its name or original file name and flags common command-line arguments. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. Monitoring this activity is crucial as AdvancedRun can be used for remote code execution and configuration-based automation. If malicious, this could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft Utilities", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "description": "The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_nirsoft_software_macro", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Njrat Fileless Storage via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "description": "The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a suspicious registry entry related to NjRAT keylloging registry in $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\[kl]\" OR Registry.registry_value_data IN (\"*[ENTER]*\", \"*[TAP]*\", \"*[Back]*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_njrat_fileless_storage_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "1166360c-d495-45ac-87a6-8948aac1fa07", "description": "The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-discord process $process_name$ accessing discord \"leveldb\" file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\discord\\\\Local Storage\\\\leveldb*\") AND process_name != *\\\\discord.exe AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_discord_app_access_discord_leveldb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non-System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "description": "The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_path", "type": "Process", "role": ["Parent Process"]}], "message": "A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "description": "The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load DLL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "description": "The following analytic detects the execution of odbcconf.exe with the regsvr action to load a DLL. This is identified by monitoring command-line arguments in process creation logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to execute arbitrary code via DLL loading, a common technique used in various attack vectors. If confirmed malicious, this could allow an attacker to execute code with the privileges of the odbcconf.exe process, potentially leading to system compromise or further lateral movement.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load Response File", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "description": "The following analytic detects the execution of odbcconf.exe with a response file, which may contain commands to load a DLL (REGSVR) or other instructions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially leading to unauthorized actions. If confirmed malicious, this could allow an attacker to gain code execution, escalate privileges, or establish persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Office Product Spawning MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "127eba64-c981-40bf-8589-1830638864a7", "description": "The following analytic detects a Microsoft Office product spawning the Windows msdt.exe process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt to exploit protocol handlers to bypass security controls, even if macros are disabled. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PaperCut NG Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "description": "The following analytic detects instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is pc-app.exe. This activity is significant as it may indicate an attacker attempting to gain unauthorized access or execute malicious commands on the system. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or further compromise of the affected environment.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Parent PID Spoofing with Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "description": "The following analytic identifies a suspicious `explorer.exe` process with the `/root` command-line parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and command-line data. The presence of `/root` in `explorer.exe` is significant as it may indicate parent process spoofing, a technique used by malware to evade detection. If confirmed malicious, this activity could allow an attacker to operate undetected, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.", "references": ["https://x.com/CyberRaiju/status/1273597319322058752?s=20"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An explorer.exe process with process commandline $process$ on dest $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*explorer.exe*\" Processes.process=\"*/root,*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_parent_pid_spoofing_with_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Password Managers Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "description": "The following analytic identifies command-line activity that searches for files related to password manager software, such as \"*.kdbx*\" and \"*credential*\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often target password manager databases to extract stored credentials, which can be used for further exploitation. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, enabling attackers to escalate privileges, move laterally, or exfiltrate critical data.", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "description": "The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\\Local\\Microsoft\\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "an outlook process dropped dll file into $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name =\"*.dll\" Filesystem.file_path = \"*\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_outlook_drop_dll_in_form_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing PDF File Executes URL Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "description": "The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user's browser to connect to a malicious site.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"analytic_story": ["Snake Keylogger", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "description": "The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Possible Credential Dumping", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 4, "id": "e4723b92-7266-11ec-af45-acde48001122", "description": "The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Post Exploitation Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "description": "The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat"], "tags": {"analytic_story": ["Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"*Windows Post-Exploitation*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_post_exploitation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "description": "The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing \"system.enterpriseservices.internal.publish\". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Cryptography Namespace", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "description": "The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains cryptography command detected on host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-05", "version": 2, "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "description": "The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "description": "The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "description": "The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "description": "The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Import Applocker Policy", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "description": "The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell RemoteSigned File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "f7f7456b-470d-4a95-9703-698250645ff4", "description": "The following analytic identifies the use of the \"remotesigned\" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing \"remotesigned\" and \"-File\". This activity is significant because the \"remotesigned\" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell commandline with remotesigned policy executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_powershell_remotesigned_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell ScheduleTask", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "description": "The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-ScheduledTask*\", \"*New-ScheduledTaskAction*\", \"*New-ScheduledTaskSettingsSet*\", \"*New-ScheduledTaskTrigger*\", \"*Register-ClusteredScheduledTask*\", \"*Register-ScheduledTask*\", \"*Set-ClusteredScheduledTask*\", \"*Set-ScheduledTask*\", \"*Start-ScheduledTask*\", \"*Enable-ScheduledTask*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_scheduletask_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "47c69803-2c09-408b-b40a-063c064cbb16", "description": "The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerSploit GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "0130a0df-83a1-4647-9011-841e950ff302", "description": "The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "39405650-c364-4e1e-a740-32a63ef042a6", "description": "The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-31", "version": 2, "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "description": "The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView SPN Discovery", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "description": "The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for SPN discovery executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Private Keys Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "description": "The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "description": "The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon Event ID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN (\"system\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\")) OR (Processes.process_integrity_level IN (\"high\",\"system\") AND (Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") OR Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`", "how_to_implement": "Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.", "known_false_positives": "False positives may be generated by administrators installing benign applications using run-as/elevation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_suspicious_process_elevation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "author": "Steven Dick", "date": "2024-05-28", "version": 2, "id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "description": "The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon Event ID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 IntegrityLevel=\"system\" ParentUser=* NOT ParentUser IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"*DWM-*\",\"*$\",\"-\") | eval src_user = replace(ParentUser,\"^[^\\\\\\]+\\\\\\\\\",\"\") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_privilege_escalation_system_process_without_system_parent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "description": "The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$].", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") AND Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"system\") AND Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 15.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_user_process_spawn_system_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Commandline Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "description": "The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to process commandline discovery detected on $dest$ using wmic.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= \"* process *\" Processes.process= \"* get commandline *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_commandline_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "description": "The following analytic identifies instances of the searchindexer.exe process that are not spawned by services.exe, indicating potential process injection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes. This activity is significant because QakBot malware often uses a fake searchindexer.exe to evade detection and perform malicious actions such as data exfiltration and keystroke logging. If confirmed malicious, this activity could allow attackers to maintain persistence, steal sensitive information, and communicate with command and control servers.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An uncommon non-service searchindexer.exe process in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_in_non_service_searchindexer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection into Notepad", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "description": "The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "description": "The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Remote Thread", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "description": "The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\",\"*\\\\cmd.exe\", \"*\\\\powershell.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Wermgr Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "description": "The following analytic identifies a suspicious instance of wermgr.exe spawning a child process unrelated to error or fault handling. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant as it can indicate Qakbot malware, which injects malicious code into wermgr.exe to evade detection and execute malicious actions. If confirmed malicious, this behavior could allow an attacker to conduct reconnaissance, execute arbitrary code, and persist within the network, posing a severe security risk.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wermgr parent process has a child process $process_name$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection With Public Source Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "description": "The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process With NamedPipe CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "e64399d4-94a8-11ec-a9da-acde48001122", "description": "The following analytic detects processes with command lines containing named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant as it is often used by adversaries, such as those behind the Olympic Destroyer malware, for inter-process communication post-injection, aiding in defense evasion and privilege escalation. If confirmed malicious, this activity could allow attackers to maintain persistence, escalate privileges, or evade defenses, potentially leading to further compromise of the system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process with named pipe in $process$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Writing File to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "description": "The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$].", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_writing_file_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "description": "The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like \"PServiceControl.exe\" and \"PService_PPD.exe\" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process was terminated $process_name$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Protocol Tunneling with Plink", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "description": "The following analytic detects the use of Plink for protocol tunneling, either for egress or lateral movement within an organization. It identifies specific Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "description": "The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"portproxy\" and \"v4tov4\" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "0270455b-1385-4579-9ac5-e77046c508ae", "description": "The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification for port proxy in$dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Browser List Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "description": "The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process accessing installed default browser registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Reg Save", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "description": "The following analytic detects the execution of the reg.exe process with the \"save\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the \"reg save\" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry UnInstall Program List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "description": "The following analytic detects a suspicious query on the uninstall application list in the Windows OS registry. It leverages Windows Security Event logs, specifically event code 4663, to identify access to the \"Uninstall\" registry key. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raccine Scheduled Task Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "c9f010da-57ab-11ec-82bd-acde48001122", "description": "The following analytic identifies the deletion of the Raccine Rules Updater scheduled task using the `schtasks.exe` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may delete this task to disable Raccine, a tool designed to prevent ransomware attacks. If confirmed malicious, this action could allow ransomware to execute without interference, leading to potential data encryption and loss.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "description": "The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rasautou DLL Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "description": "The following analytic detects the execution of an arbitrary DLL by the Windows Remote Auto Dialer (rasautou.exe). This behavior is identified by analyzing process creation events where rasautou.exe is executed with specific command-line arguments. This activity is significant because it leverages a Living Off The Land Binary (LOLBin) to execute potentially malicious code, bypassing traditional security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Disk Volume Partition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a85aa37e-9647-11ec-90c5-acde48001122", "description": "The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process accessing disk partition $Device$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "7b83f666-900c-11ec-a2d9-acde48001122", "description": "The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "process accessing MBR $Device$ on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows RDP Connection Successful", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "description": "The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A successful RDP connection on $dest$ occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry BootExecute Modification", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "description": "The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Certificate Added", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "description": "The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing \"certificates\" and registry values named \"Blob.\" This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A root certificate was added on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Delete Task SD", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "description": "The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions or modifications of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security. Immediate investigation is required.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"analytic_story": ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-20", "version": 5, "id": "c6149154-c9d8-11eb-9da7-acde48001122", "description": "The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"analytic_story": ["Ransomware", "Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Payload Injection", "author": "Steven Dick", "date": "2024-05-10", "version": 2, "id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "description": "The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://attack.mitre.org/techniques/T1027/011/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_payload_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry SIP Provider Modification", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "description": "The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon Event ID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Registry SIP Provider Modification detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\") Registry.registry_value_name IN (\"Dll\",\"$DLL\") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Be aware of potential false positives - legitimate applications may cause benign activities to be flagged.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_sip_provider_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Regsvr32 Renamed Binary", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "description": "The following analytic identifies instances where the regsvr32.exe binary has been renamed and executed. This detection leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe is significant as it can be an evasion technique used by attackers to bypass security controls. If confirmed malicious, this activity could allow an attacker to execute arbitrary DLLs, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "regsvr32 was renamed as $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "description": "The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "description": "The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Remote Access Software RMS Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "description": "The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing \"SYSTEM\\\\Remote Manipulator System.\" This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry related to RMS tool is created in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Assistance Spawning Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "ced50492-8849-11ec-9f68-acde48001122", "description": "The following analytic detects Microsoft Remote Assistance (msra.exe) spawning PowerShell.exe or cmd.exe as a child process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where msra.exe is the parent process. This activity is significant because msra.exe typically does not spawn command-line interfaces, indicating potential process injection or misuse. If confirmed malicious, an attacker could use this technique to execute arbitrary commands, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Create Service", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "description": "The following analytic identifies the creation of a new service on a remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new service creation. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this could allow the attacker to establish persistence, escalate privileges, or execute arbitrary code on the remote system, potentially leading to further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "description": "The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Rdpwinst.exe executed on $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "description": "The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"netsh.exe\" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "new firewall rules was added to allow rdp connection to $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Remote Assistance", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "description": "The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Control\\\\Terminal Server\\\\fAllowToGetHelp\" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Rdp Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "description": "The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"fDenyTSConnections\" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Replication Through Removable Media", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "description": "The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Root Domain linked policies Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "description": "The following analytic detects the execution of a suspicious rundll32 command line that updates user-specific system parameters, such as desktop backgrounds, display settings, and visual themes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"user32.dll,UpdatePerUserSystemParameters.\" This activity is significant as it is uncommon for legitimate purposes and has been observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,UpdatePerUserSystemParameters*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_apply_user_settings_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDAV Request", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "description": "The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "description": "The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Created Via XML", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "description": "The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the -create flag and an XML parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "author": "Steven Dick", "date": "2024-05-14", "version": 2, "id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "description": "The following analytic detects when the Task Scheduler service (\"svchost.exe -k netsvcs -p -s Schedule\") spawns common command line, scripting, or shell execution binaries such as \"powershell.exe\" or \"cmd.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_service_spawned_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task with Highest Privileges", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "description": "The following analytic detects the creation of a new scheduled task with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is significant as it is commonly used in AsyncRAT attacks for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to maintain persistent access and execute tasks with elevated privileges, potentially leading to unauthorized system access and data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Schtasks Create Run As System", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "41a0e58e-884c-11ec-9976-acde48001122", "description": "The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"analytic_story": ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Screen Capture Via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "description": "The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Account Manager Stopped", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 3, "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "description": "The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the \"net stop samss\" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Support Provider Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "description": "The following analytic identifies command-line activity querying the registry for Security Support Providers (SSPs) related to Local Security Authority (LSA) protection and configuration. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes accessing specific LSA registry paths. Monitoring this activity is crucial as adversaries and post-exploitation tools like winpeas may use it to gather information on LSA protections, potentially leading to credential theft. If confirmed malicious, attackers could exploit this to scrape password hashes or plaintext passwords from memory, significantly compromising system security.", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with reg query command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "description": "The following analytic detects the use of GACUtil.exe to add a DLL into the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adding a DLL to the GAC allows it to be called by any application, potentially enabling widespread code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code across the operating system, leading to privilege escalation or persistent access.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create Kernel Mode Driver", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "description": "The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"analytic_story": ["CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create RemComSvc", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "description": "The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A new service was created related to RemCom on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create SliverC2", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "description": "The following analytic detects the creation of a Windows service named \"Sliver\" with the description \"Sliver Implant,\" indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A user mode service was created on $dest$ related to SliverC2.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create with Tscon", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "description": "The following analytic detects potential RDP Hijacking attempts by identifying the creation of a Windows service using sc.exe with a binary path that includes tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it indicates an attacker may be trying to hijack a disconnected RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker could gain control over an existing user session, leading to potential data theft or further system compromise.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created with Suspicious Service Path", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 5, "id": "429141be-8311-11eb-adb6-acde48001122", "description": "The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImagePath", "type": "File", "role": ["Attacker"]}], "message": "A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created Within Public Path", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "description": "The following analytic detects the creation of a Windows Service with its binary path located in public directories using Windows Event ID 7045. This detection leverages logs from the `wineventlog_system` data source, focusing on the `ImagePath` field to identify services installed outside standard system directories. This activity is significant as it may indicate the installation of a malicious service, often used by adversaries for lateral movement or remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or further compromise the system.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ServiceName", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service $ServiceName$ with a public path was created on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "description": "The following analytic identifies the creation of a Windows Service on a remote endpoint using `sc.exe`. It detects this activity by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include remote paths and service creation commands. This behavior is significant because adversaries often exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation Using Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "25212358-948e-11ec-ad47-acde48001122", "description": "The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a endpoint from $dest$ using a registry entry", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Deletion In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "daed6823-b51c-4843-a6ad-169708f1323e", "description": "The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was deleted on $dest$ within the Windows registry.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "description": "The following analytic detects the execution of `sc.exe` with command-line arguments used to start a Windows Service on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop By Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "description": "The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Via Net and SC Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "description": "The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process$ was executed on $dest$ attempting to stop service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Win Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "description": "The following analytic detects the disabling of Windows Update services, such as \"Update Orchestrator Service for Windows Update,\" \"WaaSMedicSvc,\" and \"Windows Update.\" It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows update services $service_name$ was being disabled on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP Provider Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "description": "The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.", "references": ["https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`subjectinterfacepackage` Dll=*\\\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`", "how_to_implement": "To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1", "known_false_positives": "False positives are limited as this is a hunting query for inventory.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "subjectinterfacepackage", "definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_provider_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "description": "The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that \"The digital signature of the object did not verify.\" This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventID=81 \"The digital signature of the object did not verify.\" | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_winverifytrust_failed_trust_validation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware File Modification Crmlog", "author": "Michael Haag, Splunk", "date": "2024-05-07", "version": 2, "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "description": "The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "628d9c7c-3242-43b5-9620-7234c080a726", "description": "The following analytic detects the creation of the comadmin.dat file in the %windows%\\system32\\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "description": "The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Service Create", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "description": "The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SOAPHound Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "description": "The following analytic detects the execution of the SOAPHound binary (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and other process-related metadata. This activity is significant because SOAPHound is a known tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could allow an attacker to extract sensitive information, escalate privileges, or persist within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The process $process_name$ was executed on $dest$ related to SOAPHound.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"soaphound.exe\" OR Processes.original_file_name=\"soaphound.exe\" AND Processes.process IN (\"*--buildcache *\", \"*--bhdump *\", \"*--certdump *\", \"*--dnsdump *\", \"*-c *\", \"*--cachefilename *\", \"*-o *\", \"*--outputdirectory *\") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_soaphound_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "description": "The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise.", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "description": "The following analytic detects OneNote spawning `mshta.exe`, a behavior often associated with spearphishing attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where OneNote is the parent process. This activity is significant as it is commonly used by malware families like TA551, AsyncRat, Redline, and DCRAT to execute malicious scripts. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "description": "The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SQL Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "description": "The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"analytic_story": ["Flax Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_sql_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "description": "The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading $ImageLoaded$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (Image=\"*\\\\SQLDumper.exe\" OR Image=\"*\\\\SQLWriter.exe\") ImageLoaded=\"*\\\\vcruntime140.dll\" NOT ImageLoaded=\"C:\\\\Windows\\\\System32\\\\*\" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sqlwriter_sqldumper_dll_sideload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "author": "Steven Dick", "date": "2024-05-11", "version": 3, "id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "description": "The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 activity by $src_user$ - $flavor_text$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4886,4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | eval flavor_text = case(EventCode==\"4886\",\"A suspicious certificate was requested using request ID: \".'RequestId',EventCode==\"4887\", \"A suspicious certificate was issued using request ID: \".'RequestId'.\". To revoke this certifacte use this request ID or the SSL fingerprint [\".'ssl_hash'.\"]\"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates___esc1_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "author": "Steven Dick", "date": "2024-05-24", "version": 2, "id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "description": "The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ssl_hash", "type": "Other", "role": ["Attacker"]}, {"name": "ssl_serial", "type": "Other", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 authentication on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates___esc1_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "description": "The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was issued to $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "description": "The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was requested by $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "author": "Michael Haag, Splunk", "date": "2024-05-04", "version": 2, "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "description": "The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "description": "The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "description": "The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "description": "The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "description": "The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process klist.exe executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Suspect Process With Authentication Traffic", "author": "Steven Dick", "date": "2024-05-15", "version": 2, "id": "953322db-128a-4ce9-8e89-56e039e33d98", "description": "The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", "how_to_implement": "To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.", "known_false_positives": "Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_suspect_process_with_authentication_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "description": "The following analytic detects the use of the decompile parameter with the HTML Help application (HH.exe). This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions involving the decompile parameter. This activity is significant because it is an uncommon command and has been associated with APT41 campaigns, where it was used to unpack HTML help files for further malicious actions. If confirmed malicious, this technique could allow attackers to execute arbitrary commands, potentially leading to further compromise and persistence within the environment.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using ldap Nslookup", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "description": "The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System nslookup domain discovery on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using Qwinsta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "description": "The following analytic detects the execution of \"qwinsta.exe\" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The \"qwinsta.exe\" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System qwinsta domain discovery on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "description": "The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["CISA AA22-264A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new driver is present on $dest$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System LogOff Commandline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "description": "The following analytic detects the execution of the Windows command line to log off a host machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. This activity is significant as it is often associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /l*\", \"* -l*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Config Discovery Display DNS", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "description": "The following analytic identifies the execution of the \"ipconfig /displaydns\" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Connections Discovery Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "description": "The following analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover firewall settings. If confirmed malicious, this activity could allow attackers to manipulate firewall configurations, potentially leading to unauthorized network access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "netsh process with command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Reboot CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "description": "The following analytic identifies the execution of the Windows command line to reboot a host machine using \"shutdown.exe\" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /r*\", \"* -r*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "description": "The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Shutdown CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "description": "The following analytic identifies the execution of the Windows shutdown command via the command line interface. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because attackers may use the shutdown command to erase tracks, cause disruption, or ensure changes take effect after installing backdoors. If confirmed malicious, this activity could lead to system downtime, denial of service, or evasion of security tools, impacting the overall security posture of the network.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" AND Processes.process IN(\"* /s*\", \"* -s*\") AND Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Time Discovery W32tm Delay", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "description": "The following analytic identifies the use of the w32tm.exe utility with the /stripchart function, which is indicative of DCRat malware delaying its payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments used by w32tm.exe. This activity is significant as it may indicate an attempt to evade detection by delaying malicious actions such as C2 communication and beaconing. If confirmed malicious, this behavior could allow an attacker to maintain persistence and execute further malicious activities undetected.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Discovery Via Quser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "description": "The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Privilege Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "description": "The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to system user privilege discovery detected on $dest$ using whoami.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"whoami.exe\" Processes.process= \"*/priv*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_privilege_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Terminating Lsass Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "description": "The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "34502357-deb1-499a-8261-ffe144abf561", "description": "The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"ping 0 -n\". This behavior is significant as it is commonly used by malware like NJRAT to introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ did a suspicious ping to invalid IP address on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"ping.exe\" Processes.parent_process = \"* ping 0 -n *\" OR Processes.process = \"* ping 0 -n *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion via Choice Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "description": "The following analytic detects the use of choice.exe in batch files as a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential time-based evasion techniques used by malware to avoid detection. If confirmed malicious, this behavior could allow attackers to execute code stealthily, delete malicious files, and persist on compromised hosts, making it crucial for SOC analysts to investigate promptly.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ has a choice time delay commandline on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = \"*/T*\" Processes.process = \"*/N*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_via_choice_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "description": "The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon Event ID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\",\"wscript\",\"cscript.exe\",\"bash.exe\",\"werfault.exe\") OR Processes.process IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\ProgramData\\\\*\",\"*\\\\Temp\\\\*\")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "description": "The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon Event ID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN (\"high\",\"system\") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0)] | where elevated_integrity_level > original_integrity_level | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_escalation_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "36334123-077d-47a2-b70c-6c7b3cc85049", "description": "The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing outlook credentials registry on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676*\", \"*\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676*\") AND process_name != *\\\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "third party software may access this outlook registry.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsecured_outlook_credentials_access_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "5a83ce44-8e0f-4786-a775-8249a525c879", "description": "The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\\windows\\system32 or c:\\windows\\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["NjRAT", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Signed=false OriginalFileName = \"-\" SignatureStatus=\"unavailable\" ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f", "description": "This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) NOT (ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_in_same_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "description": "The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Company=\"Microsoft Corporation\" Signed=false SignatureStatus != Valid NOT (Image IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) NOT (ImageLoaded IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_ms_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential NTLM based password spraying attack from $src$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "description": "The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "description": "The following analytic detects the creation of suspicious URL shortcut link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify .url files created outside standard directories, such as Program Files. This activity is significant as it may indicate an attempt to execute malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process created URL shortcut file in $file_path$ of $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Valid Account With Never Expires Password", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "description": "The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"/maxpwage:unlimited\". This activity is significant as it can indicate an attempt to maintain persistence, escalate privileges, evade defenses, or facilitate lateral movement. If confirmed malicious, this behavior could allow an attacker to maintain long-term access to compromised accounts, potentially leading to further exploitation and unauthorized access to sensitive information.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable 3CX Software", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "f2cc1584-46ee-485b-b905-977c067f36de", "description": "The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable Driver Loaded", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows WinDBG Spawning AutoIt3", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "description": "The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child process. This activity is significant because AutoIt3 is frequently used by threat actors for scripting malicious automation, potentially indicating an ongoing attack. If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary code, and further compromise the system, leading to data exfiltration or additional malware deployment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, \"\\\\.(au3|a3x|exe|aut|aup)$\"), \"Yes\", \"No\") | search matches_extension=\"Yes\" | `windows_windbg_spawning_autoit3_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_windbg_spawning_autoit3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WinLogon with Public Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "description": "The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Impersonate Token", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "description": "The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process And Service List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "description": "The following analytic identifies suspicious WMI command lines querying for running processes or services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line events. This activity is significant as adversaries often use WMI to gather system information and identify services on compromised machines. If confirmed malicious, this behavior could allow attackers to map out the system, identify critical services, and plan further attacks, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wmi command $process$ to list processes and services in $dest$", "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process Call Create", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "0661c2de-93de-11ec-9833-acde48001122", "description": "The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like \"process,\" \"call,\" and \"create.\" This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with $process$ commandline executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "description": "The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$ by the following command: $TaskContent$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 4, "id": "5d9c6eee-988c-11eb-8253-acde48001122", "description": "The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "b3632472-310b-11ec-9aab-acde48001122", "description": "The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Scheduled Task was scheduled and ran on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_task_scheduler", "definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winhlp32 Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "description": "The following analytic detects winhlp32.exe spawning a child process that loads a file from appdata, programdata, or temp directories. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because winhlp32.exe has known vulnerabilities and can be exploited to execute malicious code. If confirmed malicious, an attacker could use this technique to execute arbitrary scripts, escalate privileges, or maintain persistence within the environment. Analysts should review parallel processes, module loads, and file modifications for further suspicious behavior.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRAR Spawning Shell Application", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "d2f36034-37fa-4bd4-8801-26807c15540f", "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, such as \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it may indicate exploitation of the WinRAR CVE-2023-38831 vulnerability, where malicious scripts are executed from spoofed ZIP archives. If confirmed malicious, this could lead to unauthorized access, financial loss, and further malicious activities like data theft or ransomware attacks.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc", "https://github.com/b1tg/CVE-2023-38831-winrar-exploit"], "tags": {"analytic_story": ["WinRAR Spoofing Attack CVE-2023-38831"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN (\"certutil.exe\",\"mshta.exe\",\"bitsadmin.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winrar_spawning_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRM Spawning a Process", "author": "Drew Church, Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "a081836a-ba4d-11eb-8593-acde48001122", "description": "The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"analytic_story": ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Cmd", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious attachments execute commands via cmd.exe. If confirmed malicious, this could allow an attacker to execute arbitrary commands, potentially leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 3, "id": "b2c950b8-9be2-11eb-8658-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns a PowerShell process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious documents execute encoded PowerShell commands. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "description": "The following analytic identifies instances where Microsoft Winword.exe spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is Winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious scripts are executed via document macros. If confirmed malicious, this could lead to code execution, allowing attackers to gain initial access, execute further payloads, or establish persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "description": "The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected \"NTEventLogEventConsumer.\" This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "description": "The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "WMI Permanent Event Subscription detected on $dest$ by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Recon Running Process Or Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Temporary Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-12", "version": 2, "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "description": "The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "83317b08-155b-11ec-8e00-acde48001122", "description": "The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic NonInteractive App Uninstallation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "description": "The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMIC XSL Execution via URL", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "787e9dd0-4328-11ec-a029-acde48001122", "description": "The following analytic detects `wmic.exe` loading a remote XSL script via a URL. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT switch. This activity is significant as it indicates a potential application control bypass, allowing adversaries to execute JScript or VBScript within an XSL file. If confirmed malicious, this technique can enable attackers to execute arbitrary code, escalate privileges, or maintain persistence using a trusted Windows tool, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "description": "The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `wmiprvse.exe` is the parent process and the child process is a known LOLBAS binary. This activity is significant as it may indicate lateral movement or remote code execution by an adversary abusing Windows Management Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "1f35e1da-267b-11ec-90a9-acde48001122", "description": "The following analytic identifies suspicious child processes spawned by WScript or CScript. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific parent and child process names. This activity is significant as adversaries often use WScript or CScript to execute Living Off The Land Binaries (LOLBINs) or other scripts like PowerShell for defense evasion. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. It leverages Endpoint Detection and Response (EDR) data to detect when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off the Land Binaries and Scripts) executables. This activity is significant because it may indicate an adversary using Windows Remote Management (WinRM) to execute code on remote endpoints, a common technique for lateral movement. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WSReset UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "8b5901bc-da63-11eb-be43-acde48001122", "description": "The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise.", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XMRIG Driver Loaded", "author": "Teoderick Contreras, Splunk", "date": "2024-05-06", "version": 2, "id": "90080fa6-a8df-11eb-91e4-acde48001122", "description": "The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"analytic_story": ["CISA AA22-320A", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XSL Script Execution With WMIC", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "004e32e2-146d-11ec-a83f-acde48001122", "description": "The following analytic detects the execution of an XSL script using the WMIC process, which is often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving WMIC and XSL files. This behavior is significant as it has been associated with the FIN7 group, known for using this technique to execute malicious scripts. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise and further malicious actions within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect ARP Poisoning", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "description": "The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-29", "version": 2, "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "description": "The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "domain", "type": "URL String", "role": ["Attacker"]}], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-22", "version": 2, "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "description": "The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect hosts connecting to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "description": "The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "description": "The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption.", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Large Outbound ICMP Packets", "author": "Rico Valdez, Splunk", "date": "2024-05-24", "version": 3, "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "description": "The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network.", "references": [], "tags": {"analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outbound LDAP Traffic", "author": "Bhavin Patel, Johan Bjerke, Splunk", "date": "2024-05-21", "version": 2, "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "description": "The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Outbound SMB Traffic", "author": "Bhavin Patel, Stuart Hopkins, Patrick Bareiss", "date": "2024-05-25", "version": 5, "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "description": "The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | eval match=case( cidrmatch(\"10.0.0.0/8\" ,dest_ip) ,\"1\", cidrmatch(\"172.16.0.0/12\" ,dest_ip) ,\"1\", cidrmatch(\"192.168.0.0/16\" ,dest_ip) ,\"1\", cidrmatch(\"100.64.0.0/10\" ,dest_ip) ,\"1\", 1=1,\"0\") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Port Security Violation", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-13", "version": 2, "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "description": "The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage DNS", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "description": "The following analytic detects DNS queries to known remote access software domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution data model and cross-references them with a lookup table of remote access software domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use remote access tools to maintain persistent access to compromised systems. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further infiltrate the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $query$ was contacted by $src$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`", "how_to_implement": "To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Traffic", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "885ea672-07ee-475a-879e-60d28aa5dd42", "description": "The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://applipedia.paloaltonetworks.com/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Application traffic for a known remote access software [$signature$] was detected from $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`", "how_to_implement": "The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_remote_access_software_usage_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Rogue DHCP Server", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-28", "version": 2, "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "description": "The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect SNICat SNI Exfiltration", "author": "Shannon Davis, Splunk", "date": "2024-05-21", "version": 2, "id": "82d06410-134c-11eb-adc1-0242ac120002", "description": "The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Software Download To Network Device", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-20", "version": 2, "id": "cc590c66-f65f-48f2-986a-4797244762f8", "description": "The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-13", "version": 2, "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "description": "The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab.\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\n* Save the notebook using the save option in Jupyter notebook.\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Traffic Mirroring", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-09", "version": 2, "id": "42b3b753-5925-49c5-9742-36fa40a73990", "description": "The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as \"ETH_SPAN_SESSION_UP\" and \"PKTCAP_START.\" This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Unauthorized Assets by MAC address", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 3, "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "description": "The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.", "references": [], "tags": {"analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "datamodel": ["Network_Sessions"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "babd8d10-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-23", "version": 2, "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "datamodel": ["Network_Traffic", "Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Zerologon via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "description": "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Detect Zerologon Attack", "Rhysida Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Length Outliers - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 3, "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "description": "The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "DNS Query Length With High Standard Deviation", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 6, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "description": "The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding twice the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Excessive DNS Failures", "author": "bowesmana, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "104658f4-afdc-499e-9719-17243f9826f1", "description": "The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Excessive DNS failures detected on $src$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "description": "The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "High Volume of Bytes Out to Url", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "description": "The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.", "references": ["https://attack.mitre.org/techniques/T1567/", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$.", "risk_score": 9, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name(\"Web\")`| `high_volume_of_bytes_out_to_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.", "known_false_positives": "This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.", "datamodel": ["Web"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "high_volume_of_bytes_out_to_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hosts receiving high volume of network traffic from email server", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "description": "The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Large Volume of DNS ANY Queries", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "description": "The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type \"ANY\" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.", "references": [], "tags": {"analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Multiple Archive Files Http Post Traffic", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "4477f3ea-a28f-11eb-b762-acde48001122", "description": "The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker’s command and control server, potentially resulting in severe data breaches and loss of confidential information.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ngrok Reverse Proxy on Network", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "description": "The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as \"*.ngrok.com\" and \"*.ngrok.io\". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Plain HTTP POST Exfiltrated Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e2b36208-a364-11eb-8909-acde48001122", "description": "The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as \"wermgr.exe\" or \"svchost.exe\". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "A http post $http_method$ sending packet with plain text of information in uri path $uri_path$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Prohibited Network Traffic Allowed", "author": "Rico Valdez, Splunk", "date": "2024-05-11", "version": 3, "id": "ce5a0962-849f-4720-a678-753fe6674479", "description": "The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the \"lookup_interesting_ports\" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Protocol or Port Mismatch", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 3, "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "description": "The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Protocols passing authentication in cleartext", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 4, "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "description": "The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Network Bruteforce", "author": "Jose Hernandez, Splunk", "date": "2024-05-17", "version": 3, "id": "a98727cc-286b-4ff2-b898-41df64695923", "description": "The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$dest$ may be the target of an RDP Bruteforce", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Remote Desktop Network Traffic", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 5, "id": "272b8407-842d-4b3d-bead-a704584003d3", "description": "The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "description": "The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 4, "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "description": "The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Identified SSL TLS Certificates", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "620fbb89-86fd-4e2e-925f-738374277586", "description": "The following analytic identifies the usage of Splunk default SSL/TLS certificates within the environment. It leverages tags such as SSL, TLS, and certificate to detect these default certificates by examining the ssl_issuer_common_name field. This activity is significant because using default certificates can expose the environment to potential security risks, as they are not unique and can be easily exploited. If confirmed malicious, attackers could intercept or manipulate data, leading to unauthorized access or data breaches. It is recommended to replace default certificates with valid, unique TLS certificates to enhance security.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "The following $host$ is using the self signed Splunk certificate.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SSL Certificates with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "696694df-5706-495a-81f2-79501fa11b90", "description": "The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix \"xn--\". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches.", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "TOR Traffic", "author": "David Dorsey, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "description": "The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.", "references": ["https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK", "https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks."], "tags": {"analytic_story": ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$", "risk_score": 80, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "None at this time", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Content-Type Length", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "description": "The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Service Traffic", "author": "Steven Dick", "date": "2024-05-19", "version": 2, "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "description": "The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "description": "The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1729"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zeek x509 Certificate with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "description": "The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the \"xn--\" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "15838756-f425-43fa-9d88-a7f88063e81a", "description": "The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*\" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Adobe ColdFusion Access Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.", "references": ["https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29298 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"//restplay*\", \"//CFIDE/restplay*\", \"//CFIDE/administrator*\", \"//CFIDE/adminapi*\", \"//CFIDE/main*\", \"//CFIDE/componentutils*\", \"//CFIDE/wizards*\", \"//CFIDE/servermanager*\",\"/restplay*\", \"/CFIDE/restplay*\", \"/CFIDE/administrator*\", \"/CFIDE/adminapi*\", \"/CFIDE/main*\", \"/CFIDE/componentutils*\", \"/CFIDE/wizards*\", \"/CFIDE/servermanager*\") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adobe_coldfusion_access_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "description": "The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. It monitors web requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" path using the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious activity from normal traffic. This activity is significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions, necessitating immediate investigation.", "references": ["https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-26360 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/cf_scripts/scripts/ajax/ckeditor/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Cisco IOS XE Implant Access", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "description": "The following analytic identifies the potential exploitation of a vulnerability (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects suspicious account creation and subsequent actions, including the deployment of a non-persistent implant configuration file. The detection leverages the Web datamodel, focusing on specific URL patterns and HTTP methods. This activity is significant as it indicates unauthorized administrative access, which can lead to full control of the device. If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", "https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner"], "tags": {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-20198 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/webui/logoutconfirm.html?logon_hash=*\") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_ios_xe_implant_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b593cac5-dd20-4358-972a-d945fefdaf17", "description": "The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.", "references": ["https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966"], "tags": {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/oauth/idp/.well-known/openid-configuration*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.", "known_false_positives": "False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ADC Exploitation CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "description": "The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.", "references": ["https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467", "https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967"], "tags": {"analytic_story": ["Citrix Netscaler ADC CVE-2023-3519"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-3519 against $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\",\"/gwtest/formssso?event=start&target=*\",\"/netscaler/ns_gui/vpn/*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_adc_exploitation_cve_2023_3519_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "172c59f2-5fae-45e5-8e51-94445143e93f", "description": "The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", and \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.", "references": ["https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"analytic_story": ["Citrix ShareFile RCE CVE-2023-24489"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-24489 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"/documentum/upload.aspx?*\" AND Web.url IN (\"*parentid=*\",\"*filename=*\",\"*uploadId=*\") AND Web.url IN (\"*unzip=*\", \"*raw=*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`", "how_to_implement": "Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.", "known_false_positives": "False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "citrix_sharefile_exploitation_cve_2023_24489_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "description": "The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py", "https://x.com/Shadowserver/status/1712378833536741430?s=20", "https://github.com/j3seer/CVE-2023-22515-POC"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*\",\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*\") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_cve_2023_22515_trigger_vulnerability_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 4, "id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/", "https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/setup/setupadministrator.action*\", \"*/setup/finishsetup.action*\", \"*/json/setup-restore-local.action*\", \"*/json/setup-restore-progress.action*\", \"*/json/setup-restore.action*\", \"*/bootstrap/selectsetupstep.action*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_data_center_and_server_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "description": "The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the \"/template/aui/text-inline.vm\" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat.", "references": ["https://github.com/cleverg0d/CVE-2023-22527", "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "tags": {"analytic_story": ["Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/template/aui/text-inline.vm*\" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "description": "The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url \"/SetupWizard.aspx/(?.+)\" | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "104658f4-afdc-499e-9719-17243f982681", "description": "The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2024-05-22", "version": 2, "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "description": "The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as \"hsqldb;\" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect malicious requests to exploit JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "description": "The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Remote Access Software Usage URL", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "9296f515-073c-43a5-88ec-eda5a4626654", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url_domain", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $url_domain$ was contacted by $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"Web\")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_url_filter`", "how_to_implement": "The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_remote_access_software_usage_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Exploit Public Facing Application via Apache Commons Text", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "description": "The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "description": "The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "F5 TMUI Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "description": "The following analytic detects attempts to exploit the CVE-2023-46747 vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility (TMUI). It identifies this activity by monitoring for specific URI paths such as \"*/mgmt/tm/auth/user/*\" with the PATCH method and a 200 status code. This behavior is significant for a SOC as it indicates potential unauthorized access attempts, leading to remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct further malicious activities within the network.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"analytic_story": ["F5 Authentication Bypass with TMUI"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/mgmt/tm/auth/user/*\") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.", "known_false_positives": "False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_tmui_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "description": "The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Hunting for Log4Shell", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "description": "The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "message": "Hunting for Log4Shell exploitation has occurred.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://twitter.com/GreyNoiseIO/status/1747711939466453301"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN(\"*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*\",\"*/api/v1/totp/user-backup-code/../../license/keys-status/*\") Web.http_method IN (\"POST\", \"GET\") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_command_injection_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "8e6ca490-7af3-4299-9a24-39fb69759925", "description": "The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis", "https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2024-21893 against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/dana-ws/saml20.ws*\",\"*/dana-ws/saml.ws*\",\"*/dana-ws/samlecp.ws*\",\"*/dana-na/auth/saml-logout.cgi/*\") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_ssrf_in_saml_component_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/totp/user-backup-code/../../system/system-information*\" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "description": "The following analytic detects attempts to exploit CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies HTTP requests to the endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a status code of 200 in web logs. This activity is significant as it indicates unauthorized remote access to restricted functionalities or resources. If confirmed malicious, this could lead to data theft, unauthorized modifications, or further system compromise, necessitating immediate action to mitigate potential severe impacts.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e03edeba-4942-470c-a664-27253f3ad351", "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py", "https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Sentry Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8", "description": "The following analytic identifies unauthenticated access attempts to the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects this activity by monitoring HTTP requests to specific endpoints (\"/mics/services/configservice/*\", \"/mics/services/*\", \"/mics/services/MICSLogService*\") with a status code of 200. This behavior is significant for a SOC as it indicates potential unauthorized access, which could lead to OS command execution as root. If confirmed malicious, this activity could result in significant system compromise and data breaches, especially if port 8443 is exposed to the internet.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"analytic_story": ["Ivanti Sentry Authentication Bypass CVE-2023-38035"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-38035 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ivanti_sentry_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Jenkins Arbitrary File Read CVE-2024-23897", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "description": "The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing \"*/cli?remoting=false*\" with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9025", "https://github.com/jenkinsci-cert/SECURITY-3314-3315", "https://github.com/binganao/CVE-2024-23897", "https://github.com/h4x0r-dz/CVE-2024-23897", "https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/", "https://www.shodan.io/search?query=product%3A%22Jenkins%22", "https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html"], "tags": {"analytic_story": ["Jenkins Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/cli?remoting=false*\" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source.", "known_false_positives": "False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jenkins_arbitrary_file_read_cve_2024_23897_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "description": "The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/", "https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url=\"*?jsp=*\" AND Web.url=\"*;.jsp*\") Web.status=200 Web.http_method=POST) OR (Web.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`", "how_to_implement": "The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "description": "The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` ((http.url=\"*?jsp=*\" AND http.url=\"*;.jsp*\") http.status=200 http_method=POST) OR (http.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "description": "The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server's security.", "references": ["https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` http.url IN (\"*../admin/diagnostic.jsp*\", \"*../app/https/settings/*\", \"*../app/pipeline*\", \"*../app/oauth/space/createBuild.html*\", \"*../res/*\", \"*../update/*\", \"*../.well-known/acme-challenge/*\", \"*../app/availableRunners*\", \"*../app/https/settings/setPort*\", \"*../app/https/settings/certificateInfo*\", \"*../app/https/settings/defaultHttpsPort*\", \"*../app/https/settings/fetchFromAcme*\", \"*../app/https/settings/removeCertificate*\", \"*../app/https/settings/uploadCertificate*\", \"*../app/https/settings/termsOfService*\", \"*../app/https/settings/triggerAcmeChallenge*\", \"*../app/https/settings/cancelAcmeChallenge*\", \"*../app/https/settings/getAcmeOrder*\", \"*../app/https/settings/setRedirectStrategy*\") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "JetBrains TeamCity RCE Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "description": "The following analytic detects attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it may indicate an unauthenticated attacker attempting to gain administrative access via Remote Code Execution (RCE). If confirmed malicious, this could allow the attacker to execute arbitrary code, potentially compromising the entire TeamCity environment and leading to further unauthorized access and data breaches.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"analytic_story": ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/app/rest/users/id:1/tokens/RPC2*\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "jetbrains_teamcity_rce_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Juniper Networks Remote Code Execution Exploit Detection", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "description": "The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/", "https://vulncheck.com/blog/juniper-cve-2023-36845"], "tags": {"analytic_story": ["Juniper JunOS Remote Code Execution"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", "how_to_implement": "To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.", "known_false_positives": "Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "juniper_networks_remote_code_execution_exploit_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "author": "Jose Hernandez", "date": "2024-05-25", "version": 2, "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "description": "The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "author": "Jose Hernandez", "date": "2024-05-16", "version": 2, "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "description": "The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Network_Traffic", "Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Microsoft SharePoint Server Elevation of Privilege", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts. This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment. If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs"], "tags": {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29357 against $dest$ from $src$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/_api/web/siteusers*\",\"/_api/web/currentuser*\") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.", "known_false_positives": "False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "microsoft_sharepoint_server_elevation_of_privilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor Web Traffic For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "description": "The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes", "https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`nginx_access_logs` uri_path IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "nginx_access_logs", "definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "nginx_connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PaperCut NG Remote Web Access Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "description": "The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges. This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server. If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "description": "The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "datamodel": ["Risk"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spring4Shell Payload URL Request", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "description": "The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like \"tomcatwar.jsp,\" \"poc.jsp,\" and \"shell.jsp.\" This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "risk_score": 36, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SQL Injection with Long URLs", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "description": "The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "SQL injection attempt with url $url$ detected on $dest$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Supernova Webshell", "author": "John Stoner, Splunk", "date": "2024-05-26", "version": 2, "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "description": "The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing \"*logoimagehandler.ashx*codes*\", \"*logoimagehandler.ashx*clazz*\", \"*logoimagehandler.ashx*method*\", and \"*logoimagehandler.ashx*args*\". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMWare Aria Operations Exploit Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "description": "The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint \"/saas./resttosaasservlet.\" This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Server Side Template Injection Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "description": "The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing \"deviceudid\" and keywords like \"java.lang.ProcessBuilder\" or \"freemarker.template.utility.ObjectConstructor\" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 35, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "description": "The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web JSP Request via URL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "description": "The following analytic identifies URL requests associated with CVE-2022-22965 (Spring4Shell) exploitation attempts, specifically targeting webshell access on a remote webserver. It detects HTTP GET requests with URLs containing \".jsp?cmd=\" or \"j&cmd=\" patterns. This activity is significant as it indicates potential webshell deployment, which can lead to unauthorized remote command execution. If confirmed malicious, attackers could gain control over the webserver, execute arbitrary commands, and potentially escalate privileges, leading to severe data breaches and system compromise.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Remote ShellServlet Access", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "description": "The following analytic identifies attempts to access the Remote ShellServlet on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 and CVE-2023-22515. It leverages web data to detect URLs containing \"*plugins/servlet/com.jsos.shell/*\" with a status code of 200. This activity is significant as it is commonly associated with web shells and other malicious behaviors, potentially leading to unauthorized command execution. If confirmed malicious, attackers could gain remote code execution capabilities, compromising the server and potentially the entire network.", "references": ["http://www.servletsuite.com/servlets/shell.htm"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*plugins/servlet/com.jsos.shell/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`", "how_to_implement": "This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.", "known_false_positives": "False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_remote_shellservlet_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "description": "The following analytic detects HTTP requests containing payloads related to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP data to inspect the HTTP request body and form data for specific fields such as \"class.module.classLoader.resources.context.parent.pipeline.first\". This activity is significant as it indicates an attempt to exploit a critical vulnerability in Spring Framework, potentially leading to remote code execution. If confirmed malicious, this could allow attackers to gain unauthorized access, execute arbitrary code, and compromise the affected system.", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring Cloud Function FunctionRouter", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "description": "The following analytic identifies HTTP POST requests to the Spring Cloud Function endpoint containing \"functionRouter\" in the URL. It leverages the Web data model to detect these requests based on specific fields such as http_method, url, and http_user_agent. This activity is significant because it targets CVE-2022-22963, a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept exploits available. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "author": "Michael Haag, Nathaniel Stearns, Splunk", "date": "2024-05-16", "version": 2, "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "description": "The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WordPress Bricks Builder plugin RCE", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "description": "The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path \"/wp-json/bricks/v1/render_element\" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "tags": {"analytic_story": ["WordPress Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/wp-json/bricks/v1/render_element\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`", "how_to_implement": "The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed.", "known_false_positives": "False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wordpress_bricks_builder_plugin_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WS FTP Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "description": "The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests to the \"/AHT/AhtApiService.asmx/AuthUser\" URL with a status code of 200. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/8296/files", "https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://github.com/rapid7/metasploit-framework/pull/18414"], "tags": {"analytic_story": ["WS FTP Server Critical Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/AHT/AhtApiService.asmx/AuthUser\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ws_ftp_remote_code_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Adware Activities Threat Blocked", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "3407b250-345a-4d71-80db-c91e555a3ece", "description": "The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_adware_activities_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "description": "The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler's behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=\"Behavior Analysis\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_behavior_analysis_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "description": "The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 32, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_cryptominer_downloaded_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Employment Search Web Activity", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-11", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "description": "The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 4, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlsupercategory=\"Job/Employment Search\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_employment_search_web_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Exploit Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "description": "The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_exploit_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Legal Liability Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "description": "The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlclass=\"Legal Liability\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_legal_liability_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Malware Activity Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "description": "The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_malware_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "description": "The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=\"HTML.Phish*\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_phishing_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Potentially Abused File Download", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "b0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` url IN (\"*.scr\", \"*.dll\", \"*.bat\", \"*.lnk\") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_potentially_abused_file_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "description": "The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as \"Privacy Risk.\" Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked urlclass=\"Privacy Risk\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": ["Risk"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_privacy_risk_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "a0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_scam_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Virus Download threat blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-17", "version": 2, "id": "aa19e627-d448-4a31-85cd-82068dec5691", "description": "The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_virus_download_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}]} ->>>>>>> develop +{"detections": [{"name": "CrushFTP Server Side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "ccf6b7a3-bd39-4bc9-a949-143a8d640dbc", "description": "This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "tags": {"analytic_story": ["CrushFTP Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`crushftp` | rex field=_raw \"\\[(?HTTPS|HTTP):(?[^\\:]+):(?[^\\:]+):(?\\d+\\.\\d+\\.\\d+\\.\\d+)\\] (?READ|WROTE): \\*(?[A-Z]+) (?[^\\s]+) HTTP/[^\\*]+\\*\" | eval message=if(match(_raw, \"INCLUDE\") and isnotnull(src_ip), \"traces of exploitation by \" . src_ip, \"false\") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`", "how_to_implement": "CrushFTP Session logs, from Windows or Linux, must be ingested to Splunk. Currently, there is no TA for CrushFTP, so the data must be extracted from the raw logs.", "known_false_positives": "False positives should be limited, however tune or filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "crushftp", "definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "crushftp_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Distributed Password Spray Attempts", "author": "Dean Luxton", "date": "2023-11-01", "version": 1, "id": "b1a82fc8-8a9f-4344-9ec2-bde5c5331b57", "description": "This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Compromised User Account"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "unique_accounts", "type": "User", "role": ["Victim"]}], "message": "Distributed Password Spray Attempt Detected from $src$", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action=\"failure\" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name(\"Authentication\")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` | sort - total_failures | dedup _time ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+\"__\"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) ``` 3-sigma detection logic ``` | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) | replace \"::ffff:*\" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>=\"null\",null(),<>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | sort - total_failures | `detect_distributed_password_spray_attempts_filter`", "how_to_implement": "Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from log sources that do not feature the signature_id field in the results.", "known_false_positives": "It is common to see a spike of legitimate failed authentication events on monday mornings.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "detect_distributed_password_spray_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect New Login Attempts to Routers", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "description": "The following analytic identifies new login attempts to routers. It leverages authentication logs from the ES Assets and Identity Framework, focusing on assets categorized as routers. The detection flags connections that have not been observed in the past 30 days. This activity is significant because unauthorized access to routers can lead to network disruptions or data interception. If confirmed malicious, attackers could gain control over network traffic, potentially leading to data breaches or further network compromise.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Password Spray Attempts", "author": "Dean Luxton", "date": "2023-11-01", "version": 1, "id": "086ab581-8877-42b3-9aee-4a7ecb0923af", "description": "This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Compromised User Account"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Endpoint", "role": ["Attacker"]}, {"name": "sourcetype", "type": "Other", "role": ["Victim"]}], "message": "Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts.", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action=\"failure\" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name(\"Authentication\")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ``` remove duplicate & empty time buckets``` | sort - total_failures | dedup _time ``` Create aggregation field & apply to all null events``` | eval counter=src+\"__\"+sourcetype+\"__\"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) | replace \"::ffff:*\" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>=\"null\",null(),<>)] | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id | `detect_password_spray_attempts_filter`", "how_to_implement": "Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly.", "known_false_positives": "Unknown", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "detect_password_spray_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Risky SPL using Pretrained ML Model", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "date": "2024-05-26", "version": 2, "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "description": "The following analytic identifies potentially risky SPL commands executed by users. It leverages a pretrained machine learning text classifier that analyzes command text, user, and search type to assign a risk score between 0 and 1. This detection is significant as it helps identify suspicious or unauthorized search activities that could indicate malicious intent or misuse of the Splunk environment. If confirmed malicious, such activity could lead to unauthorized data access, data exfiltration, or further exploitation of the system.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email Attachments With Lots Of Spaces", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "description": "The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email files written outside of the Outlook directory", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 4, "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "description": "The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Email servers sending high volume traffic to hosts", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "description": "The following analytic identifies a significant increase in data transfers from your email server to client hosts. It leverages the Network_Traffic data model to monitor outbound traffic from email servers, using statistical analysis to detect anomalies based on average and standard deviation metrics. This activity is significant as it may indicate a malicious actor exfiltrating data via your email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "application", "nes_fields": null, "macros": [{"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Monitor Email For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-04-16", "version": 3, "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "description": "The following analytic identifies emails claiming to be sent from a domain similar to one you are monitoring for potential abuse. It leverages email header data, specifically the sender's address, and cross-references it with a lookup table of known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or brand impersonation, which are common tactics used in social engineering attacks. If confirmed malicious, this could lead to unauthorized access, data theft, or reputational damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Email"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "No Windows Updates in a time frame", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "description": "The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the 'Update' data model in Splunk, specifically looking for the latest 'Installed' status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control.", "references": [], "tags": {"analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "datamodel": ["Updates"], "source": "application", "nes_fields": null, "macros": [{"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "e2b99e7d-d956-411a-a120-2b14adfdde93", "description": "The following analytic identifies failed authentication attempts during the Multi-Factor Authentication (MFA) challenge in an Okta tenant. It uses the Authentication datamodel to detect specific failed events where the authentication signature is `user.authentication.auth_via_mfa`. This activity is significant as it may indicate an adversary attempting to authenticate with compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing attempt to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]\"", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Authentication.app) as app values(Authentication.reason) as reason values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.authentication.auth_via_mfa Authentication.action = failure by _time Authentication.src Authentication.user Authentication.dest Authentication.action | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| iplocation src | `okta_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A user may have accidentally entered the wrong credentials during the MFA challenge. If the user is new to MFA, they may have trouble authenticating. Ensure that the user is aware of the MFA process and has the correct credentials.", "datamodel": ["Authentication"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta IDP Lifecycle Modifications", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "e0be2c83-5526-4219-a14f-c3db2e763d15", "description": "The following analytic identifies modifications to Okta Identity Provider (IDP) lifecycle events, including creation, activation, deactivation, and deletion of IDP configurations. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Monitoring these events is crucial for maintaining the integrity and security of authentication mechanisms. Unauthorized or anomalous changes could indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could manipulate authentication processes, potentially gaining unauthorized access or disrupting identity management systems.", "references": ["https://www.obsidiansecurity.com/blog/behind-the-breach-cross-tenant-impersonation-in-okta/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]\"", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1087.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (\"system.idp.lifecycle.activate\",\"system.idp.lifecycle.create\",\"system.idp.lifecycle.delete\",\"system.idp.lifecycle.deactivate\") | stats count min(_time) as firstTime max(_time) as lastTime values(target{}.id) as target_id values(target{}.type) as target_modified by src dest src_user_id user user_agent command description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_idp_lifecycle_modifications_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It's possible for legitimate administrative actions or automated processes to trigger this detection, especially if there are bulk modifications to Okta IDP lifecycle events. Review the context of the modification, such as the user making the change and the specific lifecycle event modified, to determine if it aligns with expected behavior.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_idp_lifecycle_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta MFA Exhaustion Hunt", "author": "Michael Haag, Marissa Bower, Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "description": "The following analytic detects patterns of successful and failed Okta MFA push attempts to identify potential MFA exhaustion attacks. It leverages Okta event logs, specifically focusing on push verification events, and uses statistical evaluations to determine suspicious activity. This activity is significant as it may indicate an attacker attempting to bypass MFA by overwhelming the user with push notifications. If confirmed malicious, this could lead to unauthorized access, compromising the security of the affected accounts and potentially the entire environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "description": "The following analytic identifies discrepancies between the source and response events for Okta Verify Push requests, indicating potential suspicious behavior. It leverages Okta System Log events, specifically `system.push.send_factor_verify_push` and `user.authentication.auth_via_mfa` with the factor \"OKTA_VERIFY_PUSH.\" The detection groups events by SessionID, calculates the ratio of successful sign-ins to push requests, and checks for session roaming and new device/IP usage. This activity is significant as it may indicate push spam or unauthorized access attempts. If confirmed malicious, attackers could bypass MFA, leading to unauthorized access to sensitive systems.", "references": ["https://attack.mitre.org/techniques/T1621", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "7c0348ce-bdf9-45f6-8a57-c18b5976f00a", "description": "The following analytic identifies an attempt to disable multi-factor authentication (MFA) for an Okta user. It leverages OktaIM2 logs to detect when the 'user.mfa.factor.deactivate' command is executed. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised valid account. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access to sensitive information and prolonged undetected presence in the network.", "references": ["https://attack.mitre.org/techniques/T1556/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where sourcetype=\"OktaIM2:log\" All_Changes.object_category=User AND All_Changes.action=modified All_Changes.command=user.mfa.factor.deactivate by All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multi_factor_authentication_disabled_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter lightly and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Multiple Accounts Locked Out", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "a511426e-184f-4de6-8711-cfd2af29d1e1", "description": "The following analytic detects multiple Okta accounts being locked out within a short period. It uses the user.account.lock event from Okta logs, aggregated over a 5-minute window, to identify this behavior. This activity is significant as it may indicate a brute force or password spraying attack, where an adversary attempts to guess passwords, leading to account lockouts. If confirmed malicious, this could result in potential account takeovers or unauthorized access to sensitive Okta accounts, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.", "risk_score": 49, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime values(All_Changes.user) as user from datamodel=Change where All_Changes.change_type=AAA All_Changes.object_category=User AND All_Changes.action=lockout AND All_Changes.command=user.account.lock by _time span=5m All_Changes.result All_Changes.command sourcetype All_Changes.src | where count > 5 | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_accounts_locked_out_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple account lockouts may be also triggered by an application malfunction. Filter as needed, and monitor for any unusual activity.", "datamodel": ["Change"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_multiple_accounts_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "826dbaae-a1e6-4c8c-b384-d16898956e73", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Okta tenant. It triggers when more than 10 MFA attempts fail within 5 minutes, using Okta event logs to detect this pattern. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests, a technique used by threat actors like Lapsus and APT29. If confirmed malicious, this could lead to unauthorized access, potentially compromising sensitive information and systems.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `okta` eventType=user.authentication.auth_via_mfa outcome.result=FAILURE debugContext.debugData.factor!=PASSWORD_AS_FACTOR | bucket _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_ip) as src_ip values(debugContext.debugData.factor) by _time src_user | where count >= 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed and monitor for any unusual activity.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "author": "John Murphy, Okta, Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "description": "The following analytic detects multiple failed attempts to access applications in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages Okta logs to evaluate policy and SSO events, aggregating data by user, session, and IP. The detection triggers when more than half of the app sign-on attempts are unsuccessful across multiple applications. This activity is significant as it may indicate an attempt to bypass authentication mechanisms. If confirmed malicious, it could lead to unauthorized access to sensitive applications and data, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1550.004", "T1538"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "de365ffa-42f5-46b5-b43f-fa72290b8218", "description": "The following analytic identifies instances where more than 10 unique user accounts have failed to authenticate from a single IP address within a 5-minute window in an Okta tenant. This detection uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to compromise multiple user accounts, potentially leading to unauthorized access to organizational resources and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1110.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime dc(Authentication.user) as unique_accounts values(Authentication.signature) as signature values(Authentication.user) as user values(Authentication.app) as app values(Authentication.authentication_method) as authentication_method from datamodel=Authentication where Authentication.action=\"failure\" AND Authentication.signature=user.session.start by _time span=5m Authentication.src sourcetype | where unique_accounts > 9 | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta New API Token Created", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "description": "The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected", "https://splunkbase.splunk.com/app/6553"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta New Device Enrolled on Account", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "description": "The following analytic identifies when a new device is enrolled on an Okta account. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to detect the creation of new device enrollments. This activity is significant as it may indicate a legitimate user setting up a new device or an adversary adding a device to maintain unauthorized access. If confirmed malicious, this could lead to potential account takeover, unauthorized access, and persistent control over the compromised Okta account. Monitoring this behavior is crucial for detecting and mitigating unauthorized access attempts.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://developer.okta.com/docs/reference/api/event-types/?q=device.enrollment.create"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.", "risk_score": 24, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is possible that the user has legitimately added a new device to their account. Please verify this activity.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "description": "The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason \"FastPass declined phishing attempt.\" This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_id": ["T1078", "T1078.001", "T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Risk Threshold Exceeded", "author": "Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-28", "version": 3, "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "description": "The following correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities. It leverages the Risk Framework from Enterprise Security, aggregating risk events from \"Suspicious Okta Activity,\" \"Okta Account Takeover,\" and \"Okta MFA Exhaustion\" analytic stories. This detection is significant as it highlights potentially compromised user accounts exhibiting multiple tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed malicious, this activity could indicate a serious security breach, allowing attackers to gain unauthorized access, escalate privileges, or persist within the environment.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"analytic_story": ["Okta Account Takeover", "Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "User", "role": ["Victim"]}], "message": "Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1110"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.risk_object_type = user All_Risk.analyticstories IN (\"Okta Account Takeover\", \"Suspicious Okta Activity\",\"Okta MFA Exhaustion\") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name(\"All_Risk\")` | search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "This search leverages the Risk Framework from Enterprise Security. Ensure that \"Suspicious Okta Activity\", \"Okta Account Takeover\", and \"Okta MFA Exhaustion\" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed.", "known_false_positives": "False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.", "datamodel": ["Risk"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Okta Successful Single Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 2, "id": "98f6ad4f-4325-4096-9d69-45dc8e638e82", "description": "The following analytic identifies successful single-factor authentication events against the Okta Dashboard for accounts without Multi-Factor Authentication (MFA) enabled. It detects this activity by analyzing Okta logs for successful authentication events where \"Okta Verify\" is not used. This behavior is significant as it may indicate a misconfiguration, policy violation, or potential account takeover. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches or further exploitation within the environment.", "references": ["https://sec.okta.com/everythingisyes", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$].", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` action=success src_user_type = User eventType = user.authentication.verify OR eventType = user.authentication.auth_via_mfa| stats dc(eventType) values(eventType) as eventType values(target{}.displayName) as targets values(debugContext.debugData.url) min(_time) as firstTime max(_time) as lastTime values(authentication_method) by src_ip user action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search targets !=\"Okta Verify\" | `okta_successful_single_factor_authentication_filter`", "how_to_implement": "This detection utilizes logs from Okta environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "Although not recommended, certain users may be exempt from multi-factor authentication. Adjust the filter as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Suspicious Activity Reported", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 3, "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "description": "The following analytic identifies when an associate reports a login attempt as suspicious via an email from Okta. It leverages Okta Identity Management logs, specifically the `user.account.report_suspicious_activity_by_enduser` event type. This activity is significant as it indicates potential unauthorized access attempts, warranting immediate investigation to prevent possible security breaches. If confirmed malicious, the attacker could gain unauthorized access to sensitive systems and data, leading to data theft, privilege escalation, or further compromise of the environment.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). Additionally, it necessitates the activation of suspicious activity reporting and training for associates to report such activities.", "known_false_positives": "False positives should be minimal, given the high fidelity of this detection. marker.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Suspicious Use of a Session Cookie", "author": "Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 3, "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "description": "The following analytic identifies suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user. It leverages policy evaluation events from successful authentication logs in Okta. This activity is significant as it may indicate an adversary attempting to reuse a stolen web session cookie, potentially bypassing authentication mechanisms. If confirmed malicious, this could allow unauthorized access to user accounts, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"analytic_story": ["Okta Account Takeover", "Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1539"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time, values(client.ipAddress) as src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(client.userAgent.os) as userAgentOS_list, values(client.geographicalContext.city) as city, values(client.userAgent.browser) as userAgentBrowser_list, values(device.os_platform) as okta_device_os, dc(client.userAgent.browser) as dc_userAgentBrowser, dc(client.userAgent.os) as dc_userAgentOS, dc(client.ipAddress) as dc_src_ip, values(outcome.reason) as reason by debugContext.debugData.dtHash, user | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur, depending on the organization's size and the configuration of Okta.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Okta ThreatInsight Threat Detected", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "description": "The following analytic identifies threats detected by Okta ThreatInsight, such as password spraying, login failures, and high counts of unknown user login attempts. It leverages Okta Identity Management logs, specifically focusing on security.threat.detected events. This activity is significant for a SOC as it highlights potential unauthorized access attempts and credential-based attacks. If confirmed malicious, these activities could lead to unauthorized access, data breaches, and further exploitation of compromised accounts, posing a significant risk to the organization's security posture.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "app", "type": "Endpoint", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType = security.threat.detected | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "False positives may occur. It is recommended to fine-tune Okta settings and the analytic to ensure high fidelity. Adjust the risk score as necessary.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Unauthorized Access to Application", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "5f661629-9750-4cb9-897c-1f05d6db8727", "description": "The following analytic identifies attempts by users to access Okta applications that have not been assigned to them. It leverages Okta Identity Management logs, specifically focusing on failed access attempts to unassigned applications. This activity is significant for a SOC as it may indicate potential unauthorized access attempts, which could lead to exposure of sensitive information or disruption of services. If confirmed malicious, such activity could result in data breaches, non-compliance with data protection laws, and overall compromise of the IT environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1087.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason from datamodel=Authentication where Authentication.signature=app.generic.unauth_app_access_attempt Authentication.action=\"failure\" by _time Authentication.src Authentication.user | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | `okta_unauthorized_access_to_application_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments and requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "There is a possibility that a user may accidentally click on the wrong application, which could trigger this event. It is advisable to verify the location from which this activity originates.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_unauthorized_access_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta User Logins from Multiple Cities", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 2, "id": "a3d1df37-c2a9-41d0-aa8f-59f82d6192a8", "description": "The following analytic identifies instances where the same Okta user logs in from different cities within a 24-hour period. This detection leverages Okta Identity Management logs, analyzing login events and their geographic locations. Such behavior is significant as it may indicate a compromised account, with an attacker attempting unauthorized access from multiple locations. If confirmed malicious, this activity could lead to account takeovers and data breaches, allowing attackers to access sensitive information and potentially escalate their privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Okta Account Takeover"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.", "risk_score": 81, "security_domain": "identity", "risk_severity": "high", "mitre_attack_id": ["T1586.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Authentication.app) as app values(Authentication.action) as action values(Authentication.user) as user values(Authentication.reason) as reason values(Authentication.dest) as dest values(Authentication.signature) as signature values(Authentication.method) as method from datamodel=Authentication where Authentication.signature=user.session.start by _time Authentication.src | `drop_dm_object_name(\"Authentication\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | iplocation src | stats count min(_time) as firstTime max(_time) as lastTime dc(src) as distinct_src dc(City) as distinct_city values(src) as src values(City) as City values(Country) as Country values(action) as action by user | where distinct_city > 1 | `okta_user_logins_from_multiple_cities_filter`", "how_to_implement": "This detection utilizes logs from Okta Identity Management (IM) environments. It requires the ingestion of OktaIm2 logs through the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).", "known_false_positives": "It is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.", "datamodel": ["Authentication"], "source": "application", "nes_fields": null, "macros": [{"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Path traversal SPL injection", "author": "Rod Soto, Splunk", "date": "2024-05-26", "version": 3, "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "description": "The following analytic identifies attempts at path traversal in search parameters, which can lead to SPL injection. It detects this activity by searching for specific patterns in the `_internal` index that indicate path traversal attempts (e.g., \"../../../../\"). This activity is significant for a SOC because it can allow an attacker to manipulate the application to load data from incorrect endpoints, potentially running arbitrary SPL queries. If confirmed malicious, this could lead to unauthorized data access, code execution, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by host status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "author": "Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "description": "The following analytic identifies potential persistent Cross-Site Scripting (XSS) attacks in Splunk Enterprise 9.0 versions before 9.0.4 through user interface views. It leverages audit logs from the `audit_searches` data source to detect actions involving Base64-encoded images in error messages. This activity is significant because it can allow attackers to inject malicious scripts that execute in the context of other users, leading to unauthorized actions or data exposure. If confirmed malicious, this could result in persistent control over the affected Splunk instance, compromising its integrity and confidentiality.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PingID Mismatch Auth Source and Verification Response", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "15b0694e-caa2-4009-8d83-a1f98b86d086", "description": "The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$].", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` (\"result.status\" IN (\"SUCCESS*\",\"FAIL*\",\"UNSUCCESSFUL*\") NOT \"result.message\" IN (\"*pair*\",\"*create*\",\"*delete*\")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` (\"result.status\" IN (\"POLICY\") AND \"resources{}.ipaddress\"=*) AND \"result.message\" IN(\"*Action: Authenticate*\",\"*Action: Approve*\",\"*Action: Allowed*\") | rex field=result.message \"IP Address: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Action: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application Name: (?:N\\/A)?(?.+)?\\n\" | rex field=result.message \"Requested Application ID: (?:N\\/A)?(?.+)?\\n\" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by users working out the geographic region where the organizations services or technology is hosted.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_mismatch_auth_source_and_verification_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PingID Multiple Failed MFA Requests For User", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "c1bc706a-0025-4814-ad30-288f38865036", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.", "references": ["https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621", "T1078", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.status\" IN (\"FAILURE,authFail\",\"UNSUCCESSFUL_ATTEMPT\") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PingID New MFA Method After Credential Reset", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "2fcbce12-cffa-4c84-b70c-192604d201d0", "description": "The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677", "https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\" = \"*Device Paired*\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,\"duration\"),\"(\\d*)\\+*(\\d+):(\\d+):(\\d+)\",\"\\2 hours \\3 minutes\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`", "how_to_implement": "Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.", "datamodel": ["Change"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_after_credential_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "PingID New MFA Method Registered For User", "author": "Steven Dick", "date": "2024-05-07", "version": 2, "id": "892dfeaf-461d-4a78-aac8-b07e185c9bce", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.", "references": ["https://twitter.com/jhencinski/status/1618660062352007174", "https://attack.mitre.org/techniques/T1098/005/", "https://attack.mitre.org/techniques/T1556/006/", "https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA"], "tags": {"analytic_story": ["Compromised User Account"], "asset_type": "Identity", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "object", "type": "Other", "role": ["Attacker"]}], "message": "An MFA configuration change was detected for [$user$], the device [$object$] was $action$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1621", "T1556.006", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`pingid` \"result.message\"=\"Device Paired*\" result.status=\"SUCCESS\" | rex field=result.message \"Device (Unp)?(P)?aired (?.+)\" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',\"Device Paired*\"),\"created\",match('result.message', \"Device Unpaired*\"),\"deleted\") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`", "how_to_implement": "Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.", "known_false_positives": "False positives may be generated by normal provisioning workflows for user device registration.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "pingid", "definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "pingid_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "author": "Rod Soto", "date": "2024-05-17", "version": 2, "id": "356bd3fe-f59b-4f64-baa1-51495411b7ad", "description": "The following analytic detects the exploitation of an absolute path traversal vulnerability in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, where an attacker can execute arbitrary code located on a separate disk. It leverages logs from the `splunk_python` macro, specifically looking for the `runshellscript` command with a specific argument count and path pattern. This activity is significant as it indicates a potential exploitation attempt that could lead to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the Splunk instance, leading to data breaches or further system compromise.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0806"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attack against splunk_server $splunk_server$ through abuse of the runshellscript command", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *runshellscript* | eval log_split=split(_raw, \"runshellscript: \") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,\"\\[\",\"\"),\"\\]\",\"\"),\"'\",\"\") | eval array_indices=split(data_cleaned,\",\") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != \"*C:*\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter`", "how_to_implement": "Must have access to internal indexes. Only applies to Splunk on Windows versions.", "known_false_positives": "The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_absolute_path_traversal_using_runshellscript_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "description": "The following analytic identifies the presence of environment variables in Splunk dashboard drilldown URLs. It uses the REST API to query dashboards for specific patterns in the XML data. This activity is significant because it can expose sensitive tokens from privileged users if an attacker shares a malicious dashboard. If confirmed malicious, this could allow an attacker to detokenize variables and potentially gain unauthorized access to sensitive information or escalate privileges within the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 2, "id": "a053e6a6-2146-483a-9798-2d43652f3299", "description": "The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "eai:acl.app", "type": "Other", "role": ["Victim"]}], "message": "Please review $eai:acl.app$ for possible malicious lookups", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/data/lookup-table-files/ | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`", "how_to_implement": "Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable.", "known_false_positives": "This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "author": "Rod Soto, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "9a67e749-d291-40dd-8376-d422e7ecf8b5", "description": "The following analytic identifies exposed authentication tokens in debug logs within Splunk Enterprise. It leverages logs from the `splunkd` component with a DEBUG log level, specifically searching for event messages that validate tokens. This activity is significant because exposed tokens can be exploited by attackers to gain unauthorized access to the Splunk environment. If confirmed malicious, this exposure could lead to unauthorized data access, privilege escalation, and potential compromise of the entire Splunk infrastructure. Monitoring and addressing this vulnerability is crucial for maintaining the security and integrity of the Splunk deployment.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0301"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible JsonWebToken exposure, please investigate affected $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1654"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=JsonWebToken log_level=DEBUG eventtype=\"splunkd-log\" event_message=\"Validating token:*\" | rex \"Validating token: (?.*)\\.$\" | search token!=None | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_authentication_token_exposure_in_debug_log_filter`", "how_to_implement": "Requires access to internal Splunk indexes.", "known_false_positives": "Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9", "datamodel": ["Web"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_authentication_token_exposure_in_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "author": "Rod Soto", "date": "2024-05-24", "version": 2, "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "description": "The following analytic identifies attempts to exploit a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated user can execute arbitrary code via the dashboard PDF generation component. It detects this activity by analyzing events in the _internal index with the file=export parameter. This behavior is significant because it indicates a potential code injection attack, which could lead to remote code execution (RCE). If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary commands, and potentially compromise the entire Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "description": "The following analytic detects the use of the 'delete' command in Splunk, which can be used to remove queried data. This detection leverages the Splunk Audit data model, specifically monitoring ad-hoc searches containing the 'delete' command by non-system users. This activity is significant because the 'delete' command is rarely used and can indicate potential data tampering or unauthorized data removal. If confirmed malicious, this activity could lead to the loss of critical log data, hindering incident investigations and compromising the integrity of the monitoring environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "description": "The following analytic identifies the execution of risky commands within the Splunk platform, such as `runshellscript`, `delete`, and `sendemail`. It leverages the Search_Activity data model to detect ad hoc searches containing these commands, excluding those run by the splunk-system-user. This activity is significant because it may indicate attempts at data exfiltration, deletion, or other unauthorized actions by a malicious user. If confirmed malicious, this could lead to data loss, unauthorized data transfer, or system compromise, severely impacting the organization's security posture.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json", "https://advisory.splunk.com/advisories/SVD-2024-0302"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "date": "2024-05-15", "version": 2, "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "description": "The following analytic identifies the execution of risky SPL commands with abnormally long run times by leveraging a machine learning model named \"risky_command_abuse.\" It uses the Splunk Audit data model to compare current search activities against a baseline of the past seven days. This activity is significant for a SOC as it can indicate potential misuse or abuse of powerful SPL commands, which could lead to unauthorized data access or system manipulation. If confirmed malicious, this activity could allow an attacker to execute arbitrary scripts, delete data, or exfiltrate sensitive information.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "description": "The following analytic identifies attempts to exploit a cross-site request forgery (CSRF) vulnerability in the Splunk Secure Gateway (SSG) app's kvstore_client endpoint. It detects GET requests to the vulnerable endpoint using internal index data, focusing on specific URI paths and HTTP methods. This activity is significant because it can allow unauthorized updates to SSG KV store collections, potentially leading to data manipulation or unauthorized access. If confirmed malicious, this could enable attackers to alter critical configurations or exfiltrate sensitive information, compromising the integrity and security of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0212"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CSRF exploitation attempt from $splunk_server$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` uri_path=\"/*/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-25", "version": 2, "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "description": "The following analytic identifies attempts to exfiltrate data by executing a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages the `audit_searches` data source to detect suspicious `mstats` commands indicative of injection attempts. This activity is significant as it may indicate a phishing-based attack where an attacker compels a victim to initiate a malicious request, potentially leading to unauthorized data access. If confirmed malicious, this could result in significant data exfiltration, compromising sensitive information and impacting the organization's security posture.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential data exfiltration attack using SID query by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1567"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 2, "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "description": "The following analytic identifies improper TLS validation configuration on Splunk search heads and peers post version 9. It leverages REST API calls to retrieve server information and SSL configuration settings, checking fields like `sslVerifyServerCert` and `sslVerifyServerName`. This activity is significant for a SOC as improper TLS settings can expose the infrastructure to man-in-the-middle attacks and data breaches. If confirmed malicious, attackers could intercept or manipulate data, compromising the integrity and confidentiality of communications within the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1587.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "description": "The following analytic identifies Splunk forwarder connections that are not using TLS encryption. It leverages data from the `splunkd` logs, specifically looking for connections where the `ssl` field is set to \"false\". This activity is significant because unencrypted connections can expose sensitive data and allow unauthorized access, posing a security risk. If confirmed malicious, an attacker could exploit this vulnerability to download or publish forwarder bundles, potentially leading to arbitrary code execution and further compromise of the environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "message": "$hostname$ is not using TLS when forwarding data", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1587.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DoS Using Malformed SAML Request", "author": "Rod Soto", "date": "2024-05-29", "version": 2, "id": "8e8a86d5-f323-4567-95be-8e817e2baee6", "description": "The following analytic detects a denial of service (DoS) attempt using a malformed SAML request targeting the /saml/acs REST endpoint in Splunk Enterprise versions lower than 9.0.6 and 8.2.12. It leverages `splunkd` logs, specifically looking for error messages containing \"xpointer\" in the `expr` field. This activity is significant because it can cause the Splunk daemon to crash or hang, disrupting service availability. If confirmed malicious, this attack could lead to prolonged downtime, impacting the organization's ability to monitor and respond to security events.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0802"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible DoS attack against Splunk Server $splunk_server$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1498"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`", "how_to_implement": "To run this search, you must have access to the _internal index.", "known_false_positives": "This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_dos_using_malformed_saml_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DOS Via Dump SPL Command", "author": "Rod Soto", "date": "2024-05-03", "version": 2, "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "description": "The following analytic identifies a potential Denial of Service (DoS) attack exploiting the dump SPL command in vulnerable Splunk Enterprise versions. It detects this activity by searching the `splunk_crash_log` for segmentation fault entries, indicating a crash of the Splunk daemon. This activity is significant for a SOC because it can disrupt the availability of Splunk services, impacting monitoring and incident response capabilities. If confirmed malicious, this attack could render Splunk Enterprise unusable, severely hindering an organization's ability to detect and respond to other security threats.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack with Victim $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk DoS via Malformed S2S Request", "author": "Lou Stella, Splunk", "date": "2024-05-27", "version": 3, "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "description": "The following analytic identifies attempts to exploit a Denial of Service (DoS) vulnerability in the Splunk-to-Splunk (S2S) protocol by detecting malformed S2S requests. It leverages `splunkd` logs, specifically looking for \"ERROR\" level logs from the \"TcpInputProc\" component with the thread name \"FwdDataReceiverThread\" and the message \"Invalid _meta atom.\" This activity is significant as it targets a known vulnerability that could disrupt Splunk services. If confirmed malicious, this could lead to service outages, impacting the availability and reliability of Splunk for monitoring and analysis.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1498"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "45766810-dbb2-44d4-b889-b4ba3ee0d1f5", "description": "The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0710"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Denial of Service attack against $splunk_server$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webs` log_level=INFO message=\"ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down\" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_dos_via_post_request_datamodel_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_dos_via_post_request_datamodel_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webs", "definition": "index=_internal sourcetype=splunk_web_service", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk DOS via printf search function", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-25", "version": 2, "id": "78b48d08-075c-4eac-bd07-e364c3780867", "description": "The following analytic identifies the use of the `printf` SPL function in Splunk searches, which can be exploited for a denial of service (DoS) attack. It detects this activity by querying the `audit_searches` data source for specific patterns involving `makeresults`, `eval`, `fieldformat`, and `printf` functions, excluding searches by the `splunk_system_user`. This activity is significant because it targets a known vulnerability in Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, potentially disrupting the availability of the Splunk instance. If confirmed malicious, this could lead to service outages and impact the monitoring and logging capabilities of the organization.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible denial of service attack against $host$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` \"*makeresults * eval * fieldformat *printf*\" user!=\"splunk_system_user\" search!=\"*audit_searches*\" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`", "how_to_implement": "This search requires the ability to search internal indexes.", "known_false_positives": "This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_dos_via_printf_search_function_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Edit User Privilege Escalation", "author": "Rod Soto, Chase Franklin", "date": "2024-05-15", "version": 2, "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "description": "The following analytic identifies attempts by low-privilege users to escalate their privileges to admin by exploiting the edit_user capability. It detects this activity by analyzing audit trail logs for specific actions such as \"change_own_password\" and \"edit_password\" where the info field is \"granted\" and the user is not an admin or system user. This activity is significant because it indicates potential privilege escalation, which is a critical security concern. If confirmed malicious, this could allow an attacker to gain administrative access, leading to full control over the Splunk environment and potential data breaches.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible attempt to abuse edit_user function by $user$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "author": "Marissa Bower, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "description": "The following analytic identifies crashes in the Splunk search app caused by specially crafted ZIP files, affecting Universal Forwarder versions 8.1.11 and 8.2 versions below 8.2.7.1. It detects this activity by monitoring Universal Forwarder error logs for specific messages indicating invalid or binary file issues. This activity is significant because it can disrupt Splunk operations, leading to potential data loss or monitoring gaps. If confirmed malicious, this attack could result in a denial of service, hindering the organization's ability to monitor and respond to other security incidents effectively.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential exposure of environment variables from url embedded in dashboard", "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-10", "version": 2, "id": "8f0e8380-a835-4f2b-b749-9ce119364df0", "description": "The following analytic detects unauthorized attempts to reload Splunk KV Store collections via the REST API. It leverages internal index logs to identify POST requests to the `/servicesNS/nobody/search/admin/collections-conf/_reload` endpoint, focusing on status codes starting with '2'. This activity is significant as it may indicate improper permission handling, potentially leading to unauthorized deletion of KV Store collections. If confirmed malicious, this could result in data loss or unauthorized data manipulation, impacting the integrity and availability of critical Splunk data.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0105"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible attempt to access KV Store collections at $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method=\"POST\" user=* file=_reload | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_kv_store_incorrect_authorization_filter`", "how_to_implement": "Requires access to internal indexes and REST API enabled instances.", "known_false_positives": "This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_kv_store_incorrect_authorization_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-07-01", "version": 3, "id": "947d4d2e-1b64-41fc-b32a-736ddb88ce97", "description": "The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing `splunk_python` logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0108"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Windows Deserialization exploitation via irregular path file against $host$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunk_python` request_path=\"/*/app/search/C:\\\\Program\" *strings* | rex \"request_path=(?[^\\\"]+)\" | rex field=file_path \"[^\\\"]+/(?[^\\\"\\'\\s/\\\\\\\\]+)\" | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_windows_deserialization_file_partition_filter`", "how_to_implement": "Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.", "known_false_positives": "Irregular path with files that may be purposely called for benign reasons may produce false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_windows_deserialization_file_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-25", "version": 2, "id": "7f6a07bd-82ef-46b8-8eba-802278abd00e", "description": "The following analytic detects the creation of malformed Investigations in Splunk Enterprise Security (ES) versions lower than 7.1.2, which can lead to a denial of service (DoS). It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` with error statuses during investigation creation. This activity is significant as it can disrupt the functionality of the Investigations manager, hindering incident response efforts. If confirmed malicious, this could prevent security teams from accessing critical investigation data, severely impacting their ability to manage and respond to security incidents effectively.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0102"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Denial of Service Attack against Splunk ES Investigation Manager by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_investigations_manager_via_investigation_creation_filter`", "how_to_implement": "This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.", "known_false_positives": "The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "bb85b25e-2d6b-4e39-bd27-50db42edcb8f", "description": "The following analytic detects attempts to perform a denial of service (DoS) attack through investigation attachments in Splunk Enterprise Security (ES) versions below 7.1.2. It leverages internal Splunk logs, specifically monitoring the `splunkd_investigation_rest_handler` for error statuses related to investigation objects. This activity is significant because it can render the Investigation feature inaccessible, disrupting incident response and forensic analysis. If confirmed malicious, this attack could prevent security teams from effectively managing and investigating security incidents, leading to prolonged exposure and potential data breaches.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0101"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Denial of Service detected at Splunk ES affecting $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkd_investigation_rest_handler` status=error object=investigation | stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_es_dos_through_investigation_attachments_filter`", "how_to_implement": "This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2.", "known_false_positives": "This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_es_dos_through_investigation_attachments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_investigation_rest_handler", "definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "author": "Rod Soto, Chase Franklin", "date": "2024-05-27", "version": 2, "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "description": "The following analytic identifies attempts to exploit an HTTP response splitting vulnerability via the rest SPL command in Splunk. It detects this activity by analyzing audit logs for specific search commands that include REST methods like POST, PUT, PATCH, or DELETE. This behavior is significant because it indicates a potential attempt to access restricted REST endpoints, which could lead to unauthorized access to sensitive information. If confirmed malicious, this activity could allow an attacker to access restricted content, such as password files, by injecting commands into HTTP requests.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "message": "Suspicious access by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027.006"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "author": "Chase Franklin, Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "08978eca-caff-44c1-84dc-53f17def4e14", "description": "The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-20", "version": 2, "id": "b7b82980-4a3e-412e-8661-4531d8758735", "description": "The following analytic identifies the presence of vulnerable versions of Splunk Add-on Builder (below 4.1.4) that write sensitive information to internal log files. It uses REST API queries to check installed app versions and flags those below the secure threshold. This activity is significant because it exposes sensitive data, which could be exploited by attackers. If confirmed malicious, this vulnerability could lead to unauthorized access to sensitive information, compromising the security and integrity of the Splunk environment. Immediate updates to version 4.1.4 or higher are recommended.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0111"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "version", "type": "Other", "role": ["Other"]}], "message": "Vulnerable $version$ of Splunk Add-on Builder found - Upgrade Immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/apps/local | search disabled=0 core=0 label=\"Splunk Add-on Builder\" | dedup label | search version < 4.1.4 | eval WarningMessage=\"Splunk Add-on Builder Versions older than v4.1.4 contain a critical vulnerability. Update to Splunk Add-on Builder v4.1.4 or higher immediately. For more information about this vulnerability, please refer to https://advisory.splunk.com/advisories/SVD-2024-0111\" | table label version WarningMessage | `splunk_information_disclosure_in_splunk_add_on_builder_filter`", "how_to_implement": "This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed.", "known_false_positives": "This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_information_disclosure_in_splunk_add_on_builder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Information Disclosure on Account Login", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "2bae5d19-6d1b-4db0-82ab-0af5ac5f836c", "description": "This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server.", "references": ["https://advisory.splunk.com/SVD-2024-0716"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "Hostname", "role": ["Victim"]}], "message": "Possible user enumeration attack against $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=UiAuth status=failure action=login TcpChannelThread | stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_information_disclosure_on_account_login_filter`", "how_to_implement": "Requires access to internal indexes _internal.", "known_false_positives": "This is a hunting search and requires operator to search for large number of login failures from several users indicating possible user enumeration attempts. May capture genuine login failures.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_information_disclosure_on_account_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk list all nonstandard admin accounts", "author": "Rod Soto", "date": "2024-05-21", "version": 2, "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "description": "The following analytic identifies nonstandard Splunk accounts with administrative rights on the instance, excluding the default admin account. It uses REST API calls to retrieve user data and filters for accounts with admin capabilities. This activity is significant as unauthorized admin accounts can indicate potential security breaches or misconfigurations. If confirmed malicious, attackers could leverage these accounts to execute commands, escalate privileges, or persist within the environment, posing a significant risk to the integrity and security of the Splunk instance.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential stored XSS attempt from $host$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "date": "2024-05-29", "version": 2, "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "description": "The following analytic identifies low-privilege users attempting to view hashed Splunk passwords by querying the conf-user-seed REST endpoint. It leverages data from the `splunkd_web` logs, specifically monitoring access to the conf-user-seed endpoint. This activity is significant because it can indicate an attempt to escalate privileges by obtaining hashed credentials, potentially leading to admin account takeover. If confirmed malicious, this could allow an attacker to gain administrative control over the Splunk instance, compromising the entire environment's security.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempt to access Splunk hashed password file from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "author": "Rod Soto, Eric McGinnis", "date": "2024-05-22", "version": 2, "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "description": "The following analytic identifies path traversal attempts in the Splunk App for Lookup File Editing. It detects specially crafted web requests targeting lookup files by analyzing the `uri_query` field in the `_internal` index. This activity is significant because it allows low-privilege users to read and write to restricted areas of the Splunk installation directory, potentially accessing sensitive files like password hashes. If confirmed malicious, this could lead to unauthorized access, data breaches, and further exploitation of the Splunk environment.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Path traversal exploitation attempt from $clientip$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "author": "Rod Soto", "date": "2024-05-20", "version": 2, "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "description": "The following analytic detects attempts to bypass URL validation in Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13 by targeting the vulnerable bootstrap version 2.3.1. It leverages `splunkd_web` logs, specifically monitoring GET requests to JavaScript files within the vulnerable bootstrap path. This activity is significant as it can allow a low-privileged user to perform path traversal, potentially accessing restricted and confidential information. If confirmed malicious, this could lead to unauthorized data access and compromise of sensitive information, including targeting admin users.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "author": "Lou Stella, Splunk", "date": "2024-05-23", "version": 2, "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "description": "The following analytic identifies unauthorized forwarder bundle downloads from Splunk Deployment Servers. It leverages native Splunk logs, specifically the `splunkd` component \"PackageDownloadRestHandler,\" to detect instances where an unauthenticated client may have downloaded forwarder bundles. This activity is significant because it could indicate a potential security breach, allowing unauthorized access to sensitive configurations and applications. If confirmed malicious, an attacker could gain insights into the deployment server's environment, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "$peer$ downloaded apps from $host$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "author": "Lou Stella, Splunk", "date": "2024-05-28", "version": 2, "id": "900892bf-70a9-4787-8c99-546dd98ce461", "description": "The following analytic identifies weak encryption configurations in Splunk related to TLS validation within the httplib and urllib Python libraries. It uses REST API calls to check specific configuration settings on the search head and its peers, ensuring compliance with security advisories. This activity is significant for a SOC as weak encryption can be exploited for protocol impersonation attacks, leading to unauthorized access. If confirmed malicious, attackers could intercept and manipulate data, compromising the integrity and confidentiality of the Splunk environment.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "$splunk_server$ may not be properly validating TLS Certificates", "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1001.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "datamodel": ["Web"], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "author": "Rod Soto, Splunk", "date": "2024-05-21", "version": 2, "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "description": "The following analytic identifies the use of Splunk's default self-signed certificates, which are flagged as insecure. It detects events from the `splunkd` log where the event message indicates that an X509 certificate should not be used. This activity is significant because using weak encryption and self-signed certificates can expose the system to man-in-the-middle attacks and other security vulnerabilities. If confirmed malicious, attackers could impersonate Splunk services, intercept sensitive data, and compromise the integrity of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Splunk default issued certificate at $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1588.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "description": "The following analytic identifies instances where Splunk's Python3 client libraries fail to validate SSL certificates properly. It leverages logs from `splunk_python` to detect when \"simpleRequest SSL certificate validation is enabled without hostname verification.\" This activity is significant because improper SSL certificate validation can expose the system to man-in-the-middle attacks, allowing attackers to intercept or alter data. If confirmed malicious, this vulnerability could lead to unauthorized access, data breaches, and potential system compromise. Upgrading to Splunk version 9 and configuring TLS hostname validation is recommended to mitigate this risk.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Failed to validate certificate on $host$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1588.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "author": "Rod Soto", "date": "2024-05-15", "version": 2, "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "description": "The following analytic identifies unauthorized attempts to use the /services/indexing/preview REST endpoint in Splunk. It detects POST requests to this endpoint by monitoring the _internal index for specific URI patterns. This activity is significant because it indicates a potential RBAC (Role-Based Access Control) bypass, allowing unauthorized users to overwrite search results if they know the search ID (SID) of an existing job. If confirmed malicious, this could lead to data manipulation, unauthorized access to sensitive information, and compromised integrity of search results.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RCE PDFgen Render", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "bc2b7437-0400-438b-9537-21ab5b7d2d53", "description": "This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0701"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_pdfgen _raw IN (\"*base64*\", \"*lambda*\", \"*system*\") | stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_pdfgen_render_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This search will hunt for exploitation attempts against Splunk PDFgen render function, and not all requests are necesarily malicious so there will be false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_pdfgen_render_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "8598f9de-bba8-42a4-8ef0-12e1adda4131", "description": "The following detection provides the ability to detect remote code execution attempts against a script named copybuckets present within the splunk_archiver application by calling this script as an external lookup.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0705"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attempt against $host$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index=_internal sourcetype=\"splunk_archiver-too_small\" *.csv | rex field=_raw \"Invoking command:\\s(?.*)\" | stats min(_time) as firstTime max(_time) as lastTime values(command) as command values(severity) as severity by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_external_lookup_copybuckets_filter`", "how_to_implement": "Requires access to internal indexes", "known_false_positives": "An operator must identify elements indicatives of command execution requests by looking at regex data being extracted from the log. Not all the requests will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_external_lookup_copybuckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Serialized Session Payload", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-26", "version": 2, "id": "d1d8fda6-874a-400f-82cf-dcbb59d8e4db", "description": "The following analytic detects the execution of a specially crafted query using the 'collect' SPL command in Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1. It leverages audit logs to identify searches containing both 'makeresults' and 'collect' commands. This activity is significant because it can indicate an attempt to serialize untrusted data, potentially leading to arbitrary code execution. If confirmed malicious, this could allow an attacker to execute code within the Splunk environment, leading to unauthorized access and control over the system.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Potential abuse of the 'collect' SPL command against $splunk_server$ by detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`audit_searches` file=* (search=\"*makeresults*\" AND search=\"*collect*\") | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_rce_via_serialized_session_payload_filter`", "how_to_implement": "Requires access to the _audit index.", "known_false_positives": "There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_serialized_session_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "author": "Rod Soto", "date": "2024-05-16", "version": 2, "id": "baa41f09-df48-4375-8991-520beea161be", "description": "The following analytic identifies potential exploitation attempts against the Splunk Secure Gateway App's Mobile Alerts feature in Splunk versions 9.0, 8.2.x, and 8.1.x. It detects suspicious activity by monitoring requests to the mobile alerts endpoint using specific URI paths and query parameters. This activity is significant because an authenticated user could exploit this vulnerability to execute arbitrary operating system commands remotely. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation attempt from $clientip$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk RCE via User XSLT", "author": "Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk", "date": "2024-05-16", "version": 2, "id": "6cb7e011-55fb-48e3-a98d-164fa854e37e", "description": "The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing `splunkd_ui` logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1104"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` ((uri=\"*NO_BINARY_CHECK=1*\" AND \"*input.path=*.xsl*\") OR uri=\"*dispatch*.xsl*\") AND uri!= \"*splunkd_ui*\" | rex field=uri \"(?=\\s*([\\S\\s]+))\" | eval decoded_field=urldecode(string) | eval action=case(match(status,\"200\"),\"Allowed\",match(status,\"303|500|401|403|404|301|406\"),\"Blocked\",1=1,\"Unknown\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host | rename clientip as src, uri as dest_uri | iplocation src | fillnull value=\"N/A\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field | `splunk_rce_via_user_xslt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_rce_via_user_xslt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "author": "Rod Soto, Chase Franklin", "date": "2024-05-23", "version": 2, "id": "d532d105-c63f-4049-a8c4-e249127ca425", "description": "The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with `output_mode=radio` is used in a URI, leveraging `splunkd_webx` logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential XSS exploitation against radio template by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "author": "Rod Soto", "date": "2024-05-23", "version": 2, "id": "182f9080-4137-4629-94ac-cb1083ac981a", "description": "The following analytic identifies attempts to exploit a reflected cross-site scripting (XSS) vulnerability on the app search table endpoint in Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12. It detects this activity by analyzing web request logs for specific dataset commands (`makeresults`, `count`, `eval`, `baseSPL`) within the `splunkd_web` index. This activity is significant because successful exploitation can lead to the execution of arbitrary commands on the Splunk platform, potentially compromising the entire instance. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and manipulate data within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0801"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Possible XSS attack against from $user$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` (dataset_commands=\"*makeresults*\" AND dataset_commands=\"*count*\" AND dataset_commands=\"*eval*\" AND dataset_commands=\"*baseSPL*\") | stats count min(_time) as firstTime max(_time) as lastTime by clientip status user view root uri_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `splunk_reflected_xss_on_app_search_table_endpoint_filter`", "how_to_implement": "Need access to the internal indexes.", "known_false_positives": "This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_reflected_xss_on_app_search_table_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "date": "2024-07-01", "version": 4, "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "description": "The following analytic identifies the execution of high-risk commands associated with various Splunk vulnerability disclosures. It leverages the Splunk_Audit.Search_Activity datamodel to detect ad-hoc searches by non-system users that match known risky commands. This activity is significant for a SOC as it may indicate attempts to exploit known vulnerabilities within Splunk, potentially leading to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe threat to the organization's security posture.", "references": ["https://advisory.splunk.com/advisories"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1548", "T1202"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats fillnull_value=\"N/A\" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "datamodel": ["Splunk_Audit"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command_20240601.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "fields_list": null}]}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "ed1209ef-228d-4dab-9856-be9369925a5c", "description": "This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0717"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_python` *script* *eval* | stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_stored_xss_conf_web_settings_on_premises_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_conf_web_settings_on_premises_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "description": "The following analytic identifies attempts to exploit a stored cross-site scripting (XSS) vulnerability in Splunk Enterprise via the Data Model object name field. It detects this activity by analyzing web access logs (`splunkd_webx`) for specific URI patterns and non-null query parameters. This activity is significant because it allows authenticated users to inject and store malicious scripts, leading to persistent XSS attacks. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of other users, potentially leading to data theft, session hijacking, or further compromise of the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1109", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri=/*/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "fd852b27-1882-4505-9f2c-64dfb96f4fc1", "description": "The following hunting detection provides fields related to /service/messages endpoints where specially crafted bulletin message can exploit stored XSS.", "references": ["https://advisory.splunk.com/SVD-2024-0713"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "message", "type": "Other", "role": ["Other"]}], "message": "Please investigate $message for possible XSS attack in bulletin message $message$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | search message=\"*http*\" | table id author message title | `splunk_stored_xss_via_specially_crafted_bulletin_message_filter`", "how_to_implement": "Need access to Splunk REST api data via search.", "known_false_positives": "Must look at messages field and find malicious suspicious characters or hyperlinks. Not all requests to this endpoint will be malicious.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_stored_xss_via_specially_crafted_bulletin_message_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "d67594fe-c317-41b8-9319-ec8428d5c2ea", "description": "The following hunting search provides information on splunkd crash as a result of a Denial of Service Exploitation via null pointer references which targets 'services/cluster/config' endpoint.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0702"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation attack against $host$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1499"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunk_crash_log` \"Segmentation fault\" \"POST /services/cluster/config\" | stats count min(_time) as firstTime max(_time) as lastTime by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_dos_via_null_pointer_references_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives. An operator needs to find proximity and detail of requests targeting cluster config endpoint and subsequent Segmentation fault in splunk crash log.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_unauthenticated_dos_via_null_pointer_references_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "author": "Rod Soto", "date": "2024-05-19", "version": 2, "id": "de3908dc-1298-446d-84b9-fa81d37e959b", "description": "The following analytic identifies potential log injection attempts into the Splunk server via specially crafted web URLs. It detects ANSI escape codes within the `uri_path` field of `splunkd_webx` logs. This activity is significant as it can lead to log file manipulation, potentially obfuscating malicious actions or misleading analysts. If confirmed malicious, an attacker could manipulate log files to hide their tracks or execute further attacks, compromising the integrity of the logging system and making incident response more challenging.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-0606"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` uri_path IN (\"*\\x1B*\", \"*\\u001b*\", \"*\\033*\", \"*\\0x9*\", \"*\\0x8*\") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`", "how_to_implement": "This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.", "known_false_positives": "This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_unauthenticated_log_injection_web_service_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "e7c2b064-524e-4d65-8002-efce808567aa", "description": "This hunting search provides information on exploitation attempts against /modules/messaging endpoint, the exploit can be clearly seen as the ../ which signals an attempt to traverse target directories.", "references": ["https://advisory.splunk.com/SVD-2024-0711"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible directory traversal attack against $host$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1083"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` method=GET uri_path=\"/*/modules/messaging/*..*\" | stats min(_time) as firstTime max(_time) as lastTime values(method) as method values(uri_path) as uri_path by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthenticated_path_traversal_modules_messaging_filter`", "how_to_implement": "Only applies to Microsoft Windows installations of Splunk.", "known_false_positives": "May catch other exploitation attempts using path traversal related characters.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_unauthenticated_path_traversal_modules_messaging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "84afda04-0cd6-466b-869e-70d6407d0a34", "description": "This hunting search provides information on finding possible creation of unauthorized items against /experimental endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0715"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible unauthorized creation of experimental items from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkda` */experimental/* method=POST | stats count min(_time) as firstTime max(_time) as lastTime by clientip method uri_path uri status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_unauthorized_experimental_items_creation_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "Not all requests are going to be malicious, there will be false positives, however operator must find suspicious items that might have been created by an unauthorized user.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_unauthorized_experimental_items_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk Unauthorized Notification Input by User", "author": "Rod Soto", "date": "2024-07-01", "version": 1, "id": "4b7f368f-4322-47f8-8363-2c466f0b7030", "description": "This hunting search provides information to track possible exploitation of a lower privilege user able to push notifications that may include malicious code as notifications for all users in Splunk.", "references": ["https://advisory.splunk.com/advisories/SVD-2024-0709"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "message": "Please review messages at $splunk_server for possible unauthorized notification input.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| rest /services/messages | table title message severity timeCreated_iso published splunk_server author | `splunk_unauthorized_notification_input_by_user_filter`", "how_to_implement": "Requires access to Splunk rest data.", "known_false_positives": "This search will produce false positives which may include benign notifications from other Splunk entities, attention to suspicious or anomalous elements in notifications helps identify actual exploitation of this vulnerability.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_unauthorized_notification_input_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "author": "Rod Soto, Splunk", "date": "2024-05-28", "version": 2, "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "description": "The following analytic identifies user activity related to uploading lookup tables with unnecessary filename extensions in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It detects this activity by monitoring HTTP methods (POST, DELETE) and specific URI paths in the internal `splunkd_access` logs. This behavior is significant because it can indicate attempts to upload potentially malicious files disguised as lookup tables. If confirmed malicious, this activity could allow an attacker to execute unauthorized code or manipulate data within the Splunk environment, leading to potential data breaches or system compromise.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk User Enumeration Attempt", "author": "Lou Stella, Splunk", "date": "2024-05-21", "version": 3, "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "description": "The following analytic identifies attempts to enumerate usernames in Splunk by detecting multiple failed authentication attempts from the same source. It leverages data from the `_audit` index, specifically focusing on failed authentication events. This activity is significant for a SOC because it can indicate an attacker trying to discover valid usernames, which is a precursor to more targeted attacks like password spraying or brute force attempts. If confirmed malicious, this activity could lead to unauthorized access, compromising the security of the Splunk environment and potentially exposing sensitive data.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "risk_score": 40, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as user, sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Highlighted JSON Events", "author": "Rod Soto, Splunk", "date": "2024-07-01", "version": 3, "id": "1030bc63-0b37-4ac9-9ae0-9361c955a3cc", "description": "The following analytic identifies potential exploitation of a Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise 9.1.2. It detects suspicious requests to the Splunk web GUI that may execute JavaScript within script tags. This detection leverages logs from the `splunkd_ui` data source, focusing on specific URI paths and HTTP methods. This activity is significant as it can allow attackers to execute arbitrary JavaScript, potentially accessing the API with the logged-in user's permissions. If the user is an admin, the attacker could create an admin account, leading to full control over the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2023-1103"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation from $clientip$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` \"/*/splunkd/__raw/servicesNS/nobody/search/authentication/users\" status=201 | stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_in_highlighted_json_events_filter`", "how_to_implement": "This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes.", "known_false_positives": "This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_in_highlighted_json_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Monitoring Console", "author": "Lou Stella, Splunk", "date": "2024-05-17", "version": 2, "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "description": "The following analytic identifies attempts to exploit a reflective Cross-Site Scripting (XSS) vulnerability in the Splunk Distributed Monitoring Console app. It detects GET requests with suspicious query parameters by analyzing `splunkd_web` logs in the _internal index. This activity is significant because it targets a known vulnerability (CVE-2022-27183) that could allow attackers to execute arbitrary scripts in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A potential XSS attempt has been detected from $user$", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS in Save table dialog header in search page", "author": "Rod Soto", "date": "2024-07-01", "version": 3, "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "description": "The following analytic identifies persistent cross-site scripting (XSS) attempts in the 'Save Table' dialog on the Splunk search page. It detects POST requests to the endpoint `/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model` containing potential XSS payloads. This activity is significant because it can allow a remote user with the \"power\" role to inject malicious scripts, leading to persistent XSS vulnerabilities. If confirmed malicious, this could enable attackers to execute arbitrary scripts in the context of the affected user, potentially leading to data theft, session hijacking, or further exploitation within the Splunk environment.", "references": ["https://advisory.splunk.com/advisories/SVD-2022-1101", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible XSS exploitation attempt from $clientip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_webx` method=POST uri=/*/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "01e1e386-7656-4f36-a55a-52fe39b04a96", "description": "This is a composed hunting search that looks for POST requests to splunk_internal_metrics/data/ui/views which can be used to elevate privileges on the Splunk server via custom urls. The way to find privilege escalation is by looking at created users with high privielges after payload has been executed. This search looks at POST request and then looks at created users privileges.", "references": ["https://advisory.splunk.com/"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Possible XSS attack and privilege escalation via custom urls in dashboard against $host$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_ui` method=POST /*/data/ui/views* | stats values(method) as method by _time index, sourcetype, host | eval event=\"post_request\" | append [| search `audittrail` action=\"edit_user\" operation=\"create\" | rex field=_raw \"object=\\\"(?.*)\\\"\" | stats count values(operation) as operation values(splunk_server) as splunk_server values(user) as user by _time index, sourcetype, host, newUser | eval event=\"create_user\"] | sort - _time | transaction host startswith=event=\"post_request\" endswith=event=\"create_user\" maxspan=10m | table _time index, sourcetype, host, method, user, splunk_server, operation, event, newUser eventcount | `splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter`", "how_to_implement": "Requires access to internal indexes _audit and _internal.", "known_false_positives": "This is a hunting search and requires operator to search for specific indicators of user creation in proximity to POST requests against vulnerable endpoint. It is not possible to detect payload during runtime.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "author": "Rod Soto, Chase Franklin", "date": "2024-07-01", "version": 1, "id": "b0a67520-ae82-4cf6-b04e-9f6cce56830d", "description": "This is a hunting search that provides elements to find possible dashboards created with external URL references in order to elicit Server Side Request Forgery from /data/ui/views endpoint.", "references": ["https://advisory.splunk.com/SVD-2024-0714"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible SSRF attack from $clientip$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`splunkd_web` user=* uri_path=\"/*/manager/permissions/launcher/data/ui/views/*\" file=* | stats count min(_time) as firstTime max(_time) as lastTime by clientip user file host method uri_path uri_query | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_xss_via_external_urls_in_dashboards_ssrf_filter`", "how_to_implement": "Requires access to internal indexes.", "known_false_positives": "This is a hunting search and requires an operator to search for specific indicators of Server Side Request Forgery attack against /data/ui/views. It is not possible to grab display the payloads of such requests, so this search provides users, ip addresses, requests, files, and queries that may indicate malicious intent. There will be false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_external_urls_in_dashboards_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Splunk XSS via View", "author": "Rod Soto, Eric McGinnis, Splunk", "date": "2024-05-13", "version": 2, "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "description": "The following analytic identifies potential Cross-Site Scripting (XSS) attempts via the 'layoutPanel' attribute in the 'module' tag within XML Views in Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4. It leverages internal logs from \"splunk_web_service\" and \"splunk_python\" sourcetypes, focusing on messages containing \"loadParams.\" This activity is significant as it can lead to unauthorized script execution within the Splunk Web interface, potentially compromising the security of the instance. If confirmed malicious, attackers could execute arbitrary scripts, leading to data theft, session hijacking, or further exploitation of the Splunk environment.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "message": "Potential stored XSS attempt via $fileName$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email Attachment Extensions", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 4, "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "description": "The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.'", "known_false_positives": "None identified", "datamodel": ["Email"], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}], "lookups": []}, {"name": "Suspicious Java Classes", "author": "Jose Hernandez, Splunk", "date": "2024-05-19", "version": 2, "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "description": "The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "application", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Servers Executing Suspicious Processes", "author": "David Dorsey, Splunk", "date": "2024-05-11", "version": 2, "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "description": "The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model \"Endpoint.Processes\" to search for specific process names such as \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "datamodel": ["Endpoint"], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD add Self to Group", "author": "Dean Luxton", "date": "2023-12-18", "version": 1, "id": "065f2701-b7ea-42f5-9ec4-fbc2261165f9", "description": "This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.", "references": [], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ added themselves to AD Group $Group_Name$", "risk_score": 50, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4728) | where user=src_user | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user | `windows_ad_add_self_to_group_filter`", "how_to_implement": "This analytic requires eventCode 4728 to be ingested.", "known_false_positives": "Unknown", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_add_self_to_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Increase in Group or Object Modification Activity", "author": "Dean Luxton", "date": "2023-10-13", "version": 1, "id": "4f9564dd-a204-4f22-b375-4dfca3a68731", "description": "This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.", "references": [], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Spike in Group or Object Modifications performed by $src_user$", "risk_score": 8, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket span=5m _time | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std) | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) | search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`", "how_to_implement": "Run this detection looking over a 7 day timeframe for best results.", "known_false_positives": "Unknown", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "windows_increase_in_group_or_object_modification_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Increase in User Modification Activity", "author": "Dean Luxton", "date": "2023-10-13", "version": 1, "id": "0995fca1-f346-432f-b0bf-a66d14e6b428", "description": "This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.", "references": [], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Spike in User Modification actions performed by $src_user$", "risk_score": 8, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) | bucket span=5m _time | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) | search isOutlier=1 | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status | `windows_increase_in_user_modification_activity_filter`", "how_to_implement": "Run this detection looking over a 7 day timeframe for best results.", "known_false_positives": "Genuine activity", "datamodel": [], "source": "application", "nes_fields": "user,dest", "macros": [{"name": "windows_increase_in_user_modification_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 2, "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "description": "The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment.", "references": [], "tags": {"analytic_story": ["Compromised User Account", "Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 2, "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "description": "The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 3, "id": "f2361e9f-3928-496c-a556-120cd4223a65", "description": "The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 2, "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "description": "The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Amazon EKS Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "description": "The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the \"system:anonymous\" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-29", "version": 2, "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "description": "The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is \"system:anonymous\", `verb` is \"list\", and `objectRef.resource` is \"pods\", with `requestURI` set to \"/api/v1/pods\". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "author": "Patrick Bareiss, Splunk", "date": "2024-05-24", "version": 3, "id": "b3424bbe-3204-4469-887b-ec144483a336", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `amazon_security_lake` api.operation=DescribeEventAggregates \"http_request.user_agent\"!=\"AWS Internal\" \"src_endpoint.domain\"!=\"health.amazonaws.com\" | eval time = time/pow(10,3) | `security_content_ctime(time)` | bin span=5m time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count values(cloud.region) as cloud.region by time api.operation actor.user.account_uid actor.user.uid | where distinct_ip_count > 1 | rename cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id, actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-05-29", "version": 4, "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "description": "The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudTrail logging for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "description": "The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1", "description": "The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "author": "Patrick Bareiss, Splunk", "date": "2024-02-12", "version": 2, "id": "f3eb471c-16d0-404d-897c-7653f0a78cba", "description": "The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src_ip$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "739ed682-27e9-4ba0-80e5-a91b97698213", "description": "The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), \"%H\"), weekday=strftime(time/pow(10,3), \"%A\") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "886a8f46-d7e2-4439-b9ba-aec238e31732", "description": "The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_ecr_users_asl", "definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Delete Policy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "description": "The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has deleted AWS Policies from IP address $src_ip$.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Failure Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 3, "id": "8d12f268-c567-4557-9813-f8389e235c06", "description": "The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has had mulitple failures while attempting to delete groups from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS IAM Successful Group Deletion", "author": "Patrick Bareiss, Splunk", "date": "2024-02-14", "version": 2, "id": "1bbe54f1-93d7-4764-8a01-ddaa12ece7ac", "description": "The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has sucessfully deleted a user group from $src_ip$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`", "how_to_implement": "You must install the Data Lake Federated Analytics App and ingest the logs into Splunk.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 3, "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS New MFA Method Registered For User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "description": "The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new virtual device is added to user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "author": "Bhavin Patel, Splunk", "date": "2024-05-09", "version": 3, "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "description": "The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ami_attribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Concurrent Sessions From Different Ips", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "description": "The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Console Login Failed During MFA Challenge", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 2, "id": "55349868-5583-466f-98ab-d3beb321961e", "description": "The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Create Policy Version to allow all resources", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 5, "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "description": "The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS CreateAccessKey", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS CreateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 3, "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "description": "The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Credential Access Failed Login", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "description": "The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has a login failure from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Credential Access GetPasswordData", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 2, "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "description": "The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Credential Access RDS Password reset", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-09", "version": 3, "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "description": "The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "database_id", "type": "Endpoint", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "$database_id$ password has been reset from IP $src$", "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "description": "The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity by analyzing authentication logs and comparing the requesting and requested account IDs, flagging new cross-account activities. This behavior is significant because unauthorized cross-account access can indicate potential lateral movement or privilege escalation attempts. If confirmed malicious, an attacker could gain unauthorized access to resources in another account, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "case_sensitive_match": null, "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}]}, {"name": "AWS Defense Evasion Delete Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-14", "version": 2, "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "description": "The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "d308b0f1-edb7-4a62-a614-af321160710f", "description": "The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Impair Security Services", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "description": "The following analytic detects attempts to delete critical AWS security service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages CloudTrail logs to identify specific API calls like \"DeleteLogStream\" and \"DeleteDetector.\" This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": ["Web"], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "author": "Bhavin Patel", "date": "2024-05-28", "version": 2, "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "description": "The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "description": "The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562.008", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "description": "The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "aws detect attach to role policy", "author": "Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "description": "The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` event, extracting relevant fields such as `policyArn`, `sourceIPAddress`, and `userIdentity`. This activity is significant as it can indicate attempts at lateral movement or privilege escalation within the AWS environment. If confirmed malicious, an attacker could gain elevated permissions, potentially compromising sensitive resources and data within the AWS infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect permanent key creation", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "description": "The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` action is performed by IAM users. Monitoring the creation of permanent keys is crucial as they are not created by default and are typically used for programmatic access. If confirmed malicious, this activity could allow attackers to gain persistent access to AWS resources, potentially leading to unauthorized actions and data exfiltration.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect role creation", "author": "Rod Soto, Splunk", "date": "2024-05-15", "version": 2, "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "description": "The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "aws detect sts assume role abuse", "author": "Rod Soto, Splunk", "date": "2024-05-20", "version": 2, "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "description": "The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "aws detect sts get session token abuse", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "description": "The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure.", "references": [], "tags": {"analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-28", "version": 2, "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "description": "The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "AWS account is potentially compromised and user $user$ is trying to compromise other accounts.", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "author": "Rod Soto, Patrick Bareiss Splunk", "date": "2024-05-18", "version": 3, "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "description": "The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the `CopyObject` event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Disable Bucket Versioning", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "657902a9-987d-4879-a1b2-e7a65512824b", "description": "The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS EC2 Snapshot Shared Externally", "author": "Bhavin Patel, Splunk", "date": "2024-05-07", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "description": "The following analytic detects when an EC2 snapshot is shared with an external AWS account by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings High", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 3, "id": "30a0e9f8-f1dd-4f9d-8fc2-c622461d781c", "description": "The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity high found in repository $repository$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "author": "Patrick Bareiss, Eric McGinnis Splunk", "date": "2024-05-15", "version": 3, "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "description": "The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Scanning Findings Medium", "author": "Patrick Bareiss, Splunk", "date": "2024-05-06", "version": 3, "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "description": "The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities with severity $severity$ found in repository $repository$", "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user| eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded outside business hours from $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS ECR Container Upload Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "300688e4-365c-4486-a065-7c884462b31d", "description": "The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user. It leverages AWS CloudTrail logs to identify `PutImage` events from the ECR service, filtering out known users. This activity is significant because container uploads should typically be performed by a limited set of authorized users. If confirmed malicious, this could indicate unauthorized access, potentially leading to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Container uploaded from unknown user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-08", "version": 2, "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "description": "The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "description": "The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as \"count,\" \"user_type,\" and \"user_arn\" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Exfiltration via Batch Service", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "description": "The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via Bucket Replication", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "description": "The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify `PutBucketReplication` events, focusing on fields like `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Exfiltration via DataSync Task", "author": "Bhavin Patel, Splunk", "date": "2024-05-28", "version": 2, "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "description": "The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious AWS S3 Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1119"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "description": "The following analytic detects a series of AWS API calls related to EC2 snapshots within a short time window, indicating potential exfiltration via EC2 Snapshot modifications. It leverages AWS CloudTrail logs to identify actions such as creating, describing, and modifying snapshot attributes. This activity is significant as it may indicate an attacker attempting to exfiltrate data by sharing EC2 snapshots externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userName", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-25", "version": 2, "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "description": "The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 2, "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS IAM AccessDenied Discovery Events", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "3e1f1568-9633-11eb-a69c-acde48001122", "description": "The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1580"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "description": "The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1580", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Delete Policy", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "description": "The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify `DeletePolicy` events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Failure Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "723b861a-92eb-11eb-93b8-acde48001122", "description": "The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS IAM Successful Group Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "e776d06c-9267-11eb-819b-acde48001122", "description": "The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Lambda UpdateFunctionCode", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "description": "The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful `UpdateFunctionCode` events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "374832b1-3603-420c-b456-b373e24d34c0", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages AWS CloudTrail logs to identify events where MFA devices are deleted or deactivated. This activity is significant because disabling MFA can indicate an adversary attempting to weaken account security, potentially to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, posing a significant risk to the security and integrity of the cloud infrastructure.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Multiple Failed MFA Requests For User", "author": "Bhavin Patel", "date": "2024-05-31", "version": 2, "id": "1fece617-e614-4329-9e61-3ba228c0f353", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests to an AWS Console for a single user. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect more than 10 failed MFA prompts within 5 minutes. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access to the AWS environment, potentially compromising sensitive data and resources.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel", "date": "2024-05-10", "version": 2, "id": "71e1fb89-dd5f-4691-8523-575420de4630", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. It leverages CloudTrail logs to detect multiple failed login attempts from the same IP address. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain unauthorized access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip | `aws_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Network Access Control List Created with All Open Ports", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "description": "The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Network Access Control List Deleted", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-15", "version": 3, "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "description": "The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS New MFA Method Registered For User", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an AWS account. It leverages AWS CloudTrail logs to identify the `CreateVirtualMFADevice` event. This activity is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to secure their access, making it difficult to detect and remove their presence, potentially leading to further unauthorized activities and data breaches.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Password Policy Changes", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 2, "id": "aee4a575-7064-4e60-b511-246f9baf9895", "description": "The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as \"UpdateAccountPasswordPolicy,\" \"GetAccountPasswordPolicy,\" and \"DeleteAccountPasswordPolicy.\" This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 3, "id": "85096389-a443-42df-b89d-200efbb1b560", "description": "The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"analytic_story": ["Data Exfiltration", "Suspicious Cloud Instance Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple AWS Exfiltration detections $source$ and techniques $annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "AWS SAML Access by Provider User and Principal", "author": "Rod Soto, Splunk", "date": "2024-05-23", "version": 2, "id": "bbe23980-6019-11eb-ae93-0242ac130002", "description": "The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, `roleArn`, and `roleSessionName`. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim"]}], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS SAML Update identity provider", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 2, "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "description": "The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS SetDefaultPolicyVersion", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "description": "The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 3, "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "description": "The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"analytic_story": ["Compromised User Account", "Suspicious AWS Login Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Successful Single-Factor Authentication", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "description": "The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 3, "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "description": "The following analytic identifies a single source IP failing to authenticate into the AWS Console with multiple valid users. It uses CloudTrail logs and calculates the standard deviation for source IP, leveraging the 3-sigma rule to detect unusual numbers of failed authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the AWS environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src_ip$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS UpdateLoginProfile", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 4, "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "description": "The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "message": "From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Active Directory High Risk Sign-in", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 3, "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "description": "The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A high risk event was identified by Identify Protection for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "9d4fea43-9182-4c5a-ada8-13701fd5615d", "description": "The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the \"Add app role assignment to service principal\" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add app role assignment to service principal\" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Application Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the \"Add member to role\" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 3, "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "description": "The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, status.additionalDetails, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "875de3d7-09bc-4916-8c0a-0929f4ced3d8", "description": "The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update authorization policy\" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = \"[true]\" | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, operationName, AllowUserConsentForRiskyApps | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "description": "The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs per user. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | where unique_ips > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Device Code Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "d68d8732-6f7e-4ee5-a6eb-737f2b990b91", "description": "The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1528", "https://github.com/rvrsh3ll/TokenTactics", "https://embracethered.com/blog/posts/2022/device-code-phishing/", "https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html", "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Device code requested for $user$ from $src_ip$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528", "T1566", "T1566.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs \"properties.authenticationProtocol\"=deviceCode | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_device_code_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_device_code_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD External Guest User Invited", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "description": "The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "External Guest User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Invite external user\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "ae286126-f2ad-421c-b240-4ea83bd1c43a", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098.002", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Global Administrator Role Assigned", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 5, "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "description": "The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the \"Add member to role\" operation includes the \"Global Administrator\" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "Global Administrator Role assigned for User $user$ initiated by $initiatedBy$", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add member to role\" properties.targetResources{}.modifiedProperties{}.newValue=\"\\\"Global Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "description": "The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to authenticate more than 20 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "description": "The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count > 20 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "description": "The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the \"Disable Strong Authentication\" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime by user, type, operationName, initiatedBy, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "116e11a9-63ea-41eb-a66a-6a13bdc7d2c7", "description": "The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "5d8bb1f0-f65a-4b4e-af2e-fcdb88276314", "description": "The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" (properties.authenticationRequirement=\"multiFactorAuthentication\" AND properties.status.additionalDetails=\"MFA required in Azure AD\") OR (properties.authenticationRequirement=singleFactorAuthentication AND \"properties.authenticationDetails{}.succeeded\"=true) | bucket span=5m _time | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime dc(appId) as unique_app_ids dc(userAgent) as unique_user_agents values(appDisplayName) values(deviceDetail.operatingSystem) by user, src_ip | where count > 5 and unique_app_ids > 2 and unique_user_agents > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "d0895c20-de71-4fd2-b56c-3fcdb888eba1", "description": "The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on \"Sign-in activity\" events with error code 500121 and additional details indicating \"MFA denied; user declined the authentication.\" This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" | rename properties.* as * | search status.errorCode=500121 status.additionalDetails=\"MFA denied; user declined the authentication\" | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_denied_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multiple_denied_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 4, "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "description": "The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs operationName=\"Sign-in activity\" properties.status.errorCode=500121 properties.status.additionalDetails!=\"MFA denied; user declined the authentication\" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "66cb378f-234d-4fe1-bb4c-e7878ff6b017", "description": "The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "32880707-f512-414e-bd7f-204c0c85b758", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 3, "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "description": "The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(user) AS unique_accounts values(user) as user by src_ip | where unique_accounts > 30 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New Custom Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-14", "version": 3, "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "description": "The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful \"Add unverified domain\" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new custom domain, $domain$ , was added by $user$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add unverified domain\" properties.result=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New Federated Domain Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 3, "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "description": "The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful \"Set domain authentication\" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new federated domain, $domain$ , was added by $user$", "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_id": ["T1484", "T1484.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename targetResources{}.displayName as domain | stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "0488e814-eb81-42c3-9f1f-b2244973e3a3", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Update user\" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD New MFA Method Registered For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "2628b087-4189-403f-9044-87403f777a1b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "A new MFA method was registered for user $user$", "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime by user, resultDescription, result, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "10ec9031-015b-4617-b453-c0c1ab729007", "description": "The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_oauth_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD PIM Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "description": "The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was assiged to $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by result, operationName, initiatedBy.user.displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD PIM Role Assignment Activated", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 4, "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "description": "The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the \"Add member to role completed (PIM activation)\" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 3, "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "description": "The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "5521f8c5-1aa3-473c-9eb7-853701924a06", "description": "The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` category=AuditLogs operationName=\"Update application\" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Privileged Role Assigned", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 3, "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "description": "The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the \"Add member to role\" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 3, "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "description": "The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Victim"]}], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "fields_list": null}]}, {"name": "Azure AD Service Principal Authentication", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "5a2ec401-60bb-474e-b936-1e66e7aa4060", "description": "The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting \"Sign-in activity\" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Service Principal $user$ authenticated from $src_ip$", "risk_score": 25, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal Created", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "description": "The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the \"Add service principal\" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}], "message": "Service Principal named $displayName$ created by $user$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal New Client Credentials", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-11", "version": 3, "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "description": "The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the \"Update application*Certificates and secrets management\" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "New credentials added for Service Principal by $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename properties.* as * | rename targetResources{}.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Service Principal Owner Added", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 4, "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "description": "The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Add owner to application\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful Authentication From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 4, "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "description": "The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1110", "https://attack.mitre.org/techniques/T1110.001", "https://attack.mitre.org/techniques/T1110.003"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover", "Compromised User Account"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes.", "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=30m _time | stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful PowerShell Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 3, "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is \"Microsoft Azure PowerShell.\" This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ using PowerShell.", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Successful Single-Factor Authentication", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 3, "id": "a560e7f6-1711-4353-885b-40be53101fcd", "description": "The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Administrator $user$ consented an OAuth application for the tenant.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 3, "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "description": "The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "06b8ec9a-d3b5-4882-8f16-04b4d10f5eab", "description": "The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`azure_monitor_aad` operationName=\"Consent to application\" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Reason\"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', \"ConsentAction.Permissions\"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = \"\\\"Risky application detected\\\"\" | rex field=permissions \"Scope: (?[^,]+)\" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, reason, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "UPDATE_KNOWN_FALSE_POSITIVES", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "bb093c30-d860-4858-a56e-cd0895d5b49c", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ denied consent for an OAuth application.", "risk_score": 36, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Sign-in activity\" properties.status.errorCode=65004 | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, appDisplayName, status.failureReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.", "known_false_positives": "Users may deny consent for legitimate applications by mistake, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User Enabled And Password Reset", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 3, "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "description": "The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` (operationName=\"Enable account\" OR operationName=\"Reset password (by admin)\" OR operationName=\"Update user\") | transaction user startsWith=(operationName=\"Enable account\") endsWith=(operationName=\"Reset password (by admin)\") maxspan=2m | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "author": "Mauricio Velazco, Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "description": "The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the \"Update user\" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$", "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_monitor_aad` operationName=\"Update user\" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(modifiedProperties) as modifiedProperties by initiatedBy, src_ip, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "azure_monitor_aad", "definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Automation Account Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "860902fd-2e76-46b3-b050-ba548dab576c", "description": "The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation account $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1136", "T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime values(object) as object by user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Automation Runbook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "description": "The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Automation Runbook $object$ was created by $user$", "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1136", "T1136.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Azure Runbook Webhook Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 4, "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "description": "The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the \"Create or Update an Azure Automation webhook\" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new Azure Runbook Webhook $object$ was created by $user$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user | stats count min(_time) as firstTime max(_time) as lastTime by object user, src_ip, resourceGroupName, object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Circle CI Disable Security Job", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "description": "The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1554"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Circle CI Disable Security Step", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "description": "The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Disable security step $mandatory_step$ in job $job_name$ from user $user$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1554"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Cloud API Calls From Previously Unseen User Roles", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 2, "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "description": "The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": "None.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "case_sensitive_match": null, "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "description": "The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating a new instance $dest$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "author": "David Dorsey, Splunk", "date": "2024-05-10", "version": 2, "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "description": "The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "author": "David Dorsey, Splunk", "date": "2024-05-30", "version": 2, "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "description": "The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}]}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 2, "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "description": "The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.", "references": [], "tags": {"analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}]}, {"name": "Cloud Instance Modified By Previously Unseen User", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 2, "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "description": "The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "User $user$ is modifying an instance $object_id$ for the first time.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078.004", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "case_sensitive_match": null, "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-16", "version": 2, "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "description": "The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "94994255-3acf-4213-9b3f-0494df03bb31", "description": "The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | `security_content_ctime(firstTime)` | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "author": "Rico Valdez, Splunk", "date": "2024-05-16", "version": 2, "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "description": "The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "author": "Rico Valdez, Bhavin Patel, Splunk", "date": "2024-05-17", "version": 2, "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "description": "The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.", "references": [], "tags": {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | `security_content_ctime(firstTime)` | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "case_sensitive_match": null, "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}]}, {"name": "Cloud Security Groups Modifications by User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 2, "id": "cfe7cca7-2746-4bdf-b712-b01ed819b9de", "description": "The following analytic identifies unusual modifications to security groups in your cloud environment by users, focusing on actions such as modifications, deletions, or creations over 30-minute intervals. It leverages cloud infrastructure logs and calculates the standard deviation for each user, using the 3-sigma rule to detect anomalies. This activity is significant as it may indicate a compromised account or insider threat. If confirmed malicious, attackers could alter security group configurations, potentially exposing sensitive resources or disrupting services.", "references": ["https://attack.mitre.org/techniques/T1578/005/"], "tags": {"analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unsual number cloud security group modifications detected by user - $user$", "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1578.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats dc(All_Changes.object) as unique_security_groups values(All_Changes.src) as src values(All_Changes.user_type) as user_type values(All_Changes.object_category) as object_category values(All_Changes.object) as objects values(All_Changes.action) as action values(All_Changes.user_agent) as user_agent values(All_Changes.command) as command from datamodel=Change WHERE All_Changes.object_category = \"security_group\" (All_Changes.action = modified OR All_Changes.action = deleted OR All_Changes.action = created) by All_Changes.user _time span=30m | `drop_dm_object_name(\"All_Changes\")` | eventstats avg(unique_security_groups) as avg_changes , stdev(unique_security_groups) as std_changes by user | eval upperBound=(avg_changes+std_changes*3) | eval isOutlier=if(unique_security_groups > 2 and unique_security_groups >= upperBound, 1, 0) | where isOutlier=1| `cloud_security_groups_modifications_by_user_filter`", "how_to_implement": "This search requries the Cloud infrastructure logs such as AWS Cloudtrail, GCP Pubsub Message logs, Azure Audit logs to be ingested into an accelerated Change datamodel. It is also recommended that users can try different combinations of the `bucket` span time and outlier conditions to better suit with their environment.", "known_false_positives": "It is possible that legitimate user/admin may modify a number of security groups", "datamodel": ["Change"], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloud_security_groups_modifications_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect AWS Console Login by New User", "author": "Rico Valdez, Splunk", "date": "2024-05-28", "version": 4, "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "description": "The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console for the first time", "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1552"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New City", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-25", "version": 3, "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "description": "The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Country", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-16", "version": 3, "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "description": "The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS Console Login by User from New Region", "author": "Bhavin Patel, Eric McGinnis Splunk", "date": "2024-05-18", "version": 3, "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "description": "The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment.", "references": [], "tags": {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account", "Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect GCP Storage access from a new IP", "author": "Shannon Davis, Splunk", "date": "2024-05-14", "version": 2, "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "description": "The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "remote_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect New Open GCP Storage Buckets", "author": "Shannon Davis, Splunk", "date": "2024-05-17", "version": 2, "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "description": "The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.", "references": [], "tags": {"analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect New Open S3 buckets", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "description": "The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for `PutBucketAcl` actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "description": "The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to \"AuthenticatedUsers\" or \"AllUsers.\" This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Victim"]}], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect S3 access from a new IP", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "e6f1bb1b-f441-492b-9126-902acda217da", "description": "The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "bucketName", "type": "Other", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "New S3 access from a new IP - $src_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 4, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "description": "The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.", "references": [], "tags": {"analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Spike in AWS Security Hub alerts for user - $user$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 2, "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "description": "The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity", "Command And Control", "Suspicious AWS Traffic"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "resourceId", "type": "Other", "role": ["Victim"]}], "message": "Blocked outbound traffic from your AWS", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as dest_ip, values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in S3 Bucket deletion", "author": "Bhavin Patel, Splunk", "date": "2024-05-03", "version": 2, "id": "e733a326-59d2-446d-b8db-14a17151aa68", "description": "The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1530"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "GCP Authentication Failed During MFA Challenge", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 3, "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "description": "The following analytic detects failed authentication attempts during the Multi-Factor Authentication (MFA) challenge on a Google Cloud Platform (GCP) tenant. It uses Google Workspace login failure events to identify instances where MFA methods were challenged but not successfully completed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials despite MFA protection. If confirmed malicious, this could lead to unauthorized access attempts, potentially compromising sensitive data and resources within the GCP environment.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to pass MFA challenge", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Detect gcploit framework", "author": "Rod Soto, Splunk", "date": "2024-05-14", "version": 2, "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "description": "The following analytic identifies the use of the GCPloit exploitation framework within Google Cloud Platform (GCP). It detects specific GCP Pub/Sub messages with a function timeout of 539 seconds, which is indicative of GCPloit activity. This detection is significant as GCPloit can be used to escalate privileges and facilitate lateral movement from compromised high-privilege accounts. If confirmed malicious, this activity could allow attackers to gain unauthorized access, escalate their privileges, and move laterally within the GCP environment, potentially compromising sensitive data and critical resources.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "datamodel": ["Email"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Kubernetes cluster pod scan detection", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 2, "id": "19b53215-4a16-405b-8087-9e6acf619842", "description": "The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Multi-Factor Authentication Disabled", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "description": "The following analytic detects an attempt to disable multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user. It leverages Google Workspace Admin log events, specifically the `UNENROLL_USER_FROM_STRONG_AUTH` command. This activity is significant because disabling MFA can allow an adversary to maintain persistence within the environment using a compromised account without raising suspicion. If confirmed malicious, this action could enable attackers to bypass additional security layers, potentially leading to unauthorized access, data exfiltration, or further exploitation of the compromised account.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "message": "MFA disabled for User $user$ initiated by $actor.email$", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status, id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "description": "The following analytic detects multiple failed multi-factor authentication (MFA) requests for a single user within a Google Cloud Platform (GCP) tenant. It triggers when 10 or more MFA prompts fail within a 5-minute window, using Google Workspace login failure events. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise accounts and potentially escalate privileges within the GCP environment.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple Failed MFA requests for user $user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "description": "The following analytic detects a single source IP address failing to authenticate into more than 20 unique Google Workspace user accounts within a 5-minute window. It leverages Google Workspace login failure events to identify potential password spraying attacks. This activity is significant as it may indicate an adversary attempting to gain unauthorized access or elevate privileges within the Google Cloud Platform. If confirmed malicious, this behavior could lead to unauthorized access to sensitive resources, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "tried_accounts", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Successful Single-Factor Authentication", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "description": "The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Successful authentication for user $user$ without MFA", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip, login_challenge_method, app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "description": "The following analytic identifies a single source IP failing to authenticate into Google Workspace with multiple valid users, potentially indicating a Password Spraying attack. It uses Google Workspace login failure events and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "message": "Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$", "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Gdrive suspicious file sharing", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "a7131dae-34e3-11ec-a2de-acde48001122", "description": "The following analytic identifies suspicious file-sharing activity on Google Drive, where internal users share documents with more than 50 external recipients. It leverages GSuite Drive logs, focusing on changes in user access and filtering for emails outside the organization's domain. This activity is significant as it may indicate compromised accounts or intentional data exfiltration. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, data leaks, and potential compliance violations.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"analytic_story": ["Data Exfiltration", "Spearphishing Attachments"], "asset_type": "GDrive", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GitHub Actions Disable Security Workflow", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 2, "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "description": "The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.002", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Github Commit Changes In Master", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "description": "The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to main branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1199"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "Admin can do changes directly to master branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Github Commit In Develop", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "description": "The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Victim"]}], "message": "Suspicious commit by $commit.commit.author.email$ to develop branch", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1199"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GitHub Dependabot Alert", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "05032b04-4469-4034-9df7-05f607d75cba", "description": "The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the \"create\" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.001", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GitHub Pull Request from Unknown User", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "description": "The following analytic detects pull requests from unknown users on GitHub. It uses a Splunk query to identify pull requests where the user ID is not specified and cross-references these with a known users lookup table. This activity is significant because pull requests from unknown users can introduce malicious code or unauthorized changes to repositories. If confirmed malicious, this could lead to unauthorized code changes, data breaches, or other security incidents. Immediate steps include reviewing the author's name, repository, head reference, and commit message, and investigating any related artifacts and processes.", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Other", "role": ["Victim"]}], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1195.001", "T1195"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Drive Share In External Email", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "description": "The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1567.002", "T1567"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GSuite Email Suspicious Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "6d663014-fe92-11eb-ab07-acde48001122", "description": "The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "Email Address", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "description": "The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8630aa22-042b-11ec-af39-acde48001122", "description": "The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "destination{}.address", "type": "Email Address", "role": ["Victim"]}, {"name": "source.address", "type": "Email Address", "role": ["Attacker"]}], "message": "Suspicious email from $source.address$ to $destination{}.address$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-10", "version": 3, "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "description": "The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_domain_list", "type": "Email Address", "role": ["Victim"]}, {"name": "dest_domain", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious email from $src_domain_list$ to $dest_domain$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Gsuite suspicious calendar invite", "author": "Rod Soto, Teoderick Contreras", "date": "2024-05-21", "version": 2, "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "description": "The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "email", "type": "Email Address", "role": ["Attacker"]}], "message": "Gsuite suspicious calendar invite sent by $email$", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Gsuite Suspicious Shared File Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "07eed200-03f5-11ec-98fb-acde48001122", "description": "The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like \"dhl,\" \"ups,\" \"invoice,\" and \"shipment.\" This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "High Number of Login Failures from a single source", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "description": "The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.", "references": ["https://attack.mitre.org/techniques/T1110/001/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1110.001", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where failed_attempts > 10 | `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.", "known_false_positives": "An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual Location", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "40a064c1-4ec1-4381-9e35-61192ba8ef82", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests by country. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs{} | fillnull | search NOT `kube_allowed_locations` | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_location_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_locations", "definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 2, "id": "096ab390-05ca-462c-884e-343acd5b9240", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user agents. This activity is significant for a SOC because Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of critical information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_agents` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_agents", "definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "b6f45bbc-4ea9-4068-b3bc-0477f6997ae2", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests and user groups. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys. If confirmed malicious, this behavior could indicate an attacker attempting to exfiltrate or misuse these secrets, potentially leading to unauthorized access to sensitive systems or data.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_groups` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_groups", "definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "author": "Patrick Bareiss, Splunk", "date": "2024-05-27", "version": 2, "id": "df6e9cae-5257-4a34-8f3a-df49fa0f5c46", "description": "The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. This activity is significant for a SOC as Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Access of Kubernetes secret $objectRef.name$ from unusual user name $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1552.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_allowed_user_names` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_user_names", "definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Access Scanning", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "2f4abe6d-5991-464d-8216-f90f42999764", "description": "The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities by monitoring Kubernetes audit logs for repeated failed access attempts or unusual API requests. This activity is significant for a SOC as it may indicate an attacker's preliminary reconnaissance to gather information about the system. If confirmed malicious, this activity could lead to unauthorized access to sensitive systems or data, posing a severe security risk.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_access_scanning_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_access_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-17", "version": 2, "id": "10442d8b-0701-4c25-911d-d67b906e713c", "description": "The following analytic identifies anomalous inbound network traffic volumes from processes within containerized workloads. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days. This activity is significant as it may indicate unauthorized data reception, potential breaches, vulnerability exploitation, or malware propagation. If confirmed malicious, it could lead to command and control installation, data integrity damage, container escape, and further environment compromise.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name dest.workload.name dest.process.name span=10s | eval key='dest.workload.name' + \":\" + 'dest.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by dest.workload.name dest.process.name | eval key='dest.workload.name' + \":\" + 'dest.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_inbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "4f3b0c97-657e-4547-a89a-9a50c656e3cd", "description": "The following analytic identifies high inbound or outbound network I/O anomalies in Kubernetes containers. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. A lookup table with average and standard deviation values for network I/O is used to detect anomalies persisting over a 1-hour period. This activity is significant as it may indicate data exfiltration, command and control communication, or unauthorized data transfers. If confirmed malicious, it could lead to data breaches, service outages, financial losses, and reputational damage.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$$|-[abcdef0-9]{8,10}-\\w{5}$$\", \"\") | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by k8s.cluster.name k8s.node.name k8s.pod.name service _time | eval key = 'k8s.cluster.name' + \":\" + 'service' | lookup k8s_container_network_io_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_outbound_network_io_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_outbound_network_io_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO", "collection": "k8s_container_network_io_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "author": "Matthew Moore, Splunk", "date": "2024-05-26", "version": 2, "id": "9d8f6e3f-39df-46d8-a9d4-96173edc501f", "description": "The following analytic identifies significant changes in network communication behavior within Kubernetes containers by examining the inbound to outbound network IO ratios. It leverages process metrics from an OTEL collector and Kubelet Stats Receiver, along with data from Splunk Observability Cloud. Anomalies are detected using a lookup table containing average and standard deviation values for network IO, triggering an event if the anomaly persists for over an hour. This activity is significant as it may indicate data exfiltration, command and control communication, or compromised container behavior. If confirmed malicious, it could lead to data breaches, service outages, and unauthorized access within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8s.cluster.name k8s.pod.name k8s.node.name direction span=10s | eval service = replace('k8s.pod.name', \"-\\w{5}$|-[abcdef0-9]{8,10}-\\w{5}$\", \"\") | eval key = 'k8s.cluster.name' + \":\" + 'service' | stats avg(eval(if(direction=\"transmit\", io,null()))) as outbound_network_io avg(eval(if(direction=\"receive\", io,null()))) as inbound_network_io by key service k8s.cluster.name k8s.pod.name k8s.node.name _time | eval inbound:outbound = inbound_network_io/outbound_network_io | eval outbound:inbound = outbound_network_io/inbound_network_io | fields - *network_io | lookup k8s_container_network_io_ratio_baseline key | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by k8s.cluster.name k8s.node.name k8s.pod.name service | rename service as k8s.service | where count > 5 | rename k8s.node.name as host | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio", "collection": "k8s_container_network_io_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen"}]}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "dd6afee6-e0a3-4028-a089-f47dd2842c22", "description": "The following analytic identifies anomalously high outbound network activity from processes running within containerized workloads in a Kubernetes environment. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average metrics over the past 30 days. This activity is significant as it may indicate data exfiltration, process modification, or container compromise. If confirmed malicious, it could lead to unauthorized data exfiltration, communication with malicious entities, or further attacks within the containerized environment.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name source.process.name span=10s | eval key='source.workload.name' + \":\" + 'source.process.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name source.process.name | eval key='source.workload.name' + \":\" + 'source.process.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_outbound_network_activity_from_process_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_outbound_network_activity_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "author": "Matthew Moore, Splunk", "date": "2024-05-24", "version": 2, "id": "886c7e51-2ea1-425d-8705-faaca5a64cc6", "description": "The following analytic identifies anomalous network traffic volumes between Kubernetes workloads or between a workload and external sources. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares recent network metrics (tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets) over the last hour with the average over the past 30 days to identify significant deviations. This activity is significant as unexpected spikes may indicate unauthorized data transfers or lateral movement. If confirmed malicious, it could lead to data exfiltration or compromise of additional services, potentially resulting in data breaches.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name span=10s | eval key='source.workload.name' + \":\" + 'dest.workload.name' | join type=left key [ mstats avg(tcp.*) as avg_tcp.* avg(udp.*) as avg_udp.* stdev(tcp.*) as stdev_tcp.* avg(udp.*) as stdev_udp.* where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval key='source.workload.name' + \":\" + 'dest.workload.name' ] | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 3 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | fillnull | eval anomalies = split(replace(anomalies, \",\\s$$$$\", \"\") ,\", \") | where anomalies!=\"\" | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name dest.workload.name | rename service as k8s.service | where count > 5 | rename k8s.cluster.name as host | `kubernetes_anomalous_traffic_on_network_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_anomalous_traffic_on_network_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "author": "Rod Soto, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 3, "id": "042a3d32-8318-4763-9679-09db2644a8f2", "description": "The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from `kube_audit` logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.", "references": [], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` user.username=\"system:anonymous\" user.groups{} IN (\"system:unauthenticated\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Create or Update Privileged Pod", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "3c6bd734-334d-4818-ae7c-5234313fc5da", "description": "The following analytic detects the creation or update of privileged pods in Kubernetes. It identifies this activity by monitoring Kubernetes Audit logs for pod configurations that include root privileges. This behavior is significant for a SOC as it could indicate an attempt to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, data breaches, and service disruptions, posing a severe threat to the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes privileged pod created by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"privileged\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_create_or_update_privileged_pod_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_create_or_update_privileged_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Cron Job Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 2, "id": "5984dbe8-572f-47d7-9251-3dff6c3f0c0d", "description": "The following analytic detects the creation of a Kubernetes cron job, which is a task scheduled to run automatically at specified intervals. It identifies this activity by monitoring Kubernetes Audit logs for the creation events of cron jobs. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes cron job creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1053.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create \"objectRef.resource\"=cronjobs | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_cron_job_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_cron_job_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes DaemonSet Deployed", "author": "Patrick Bareiss, Splunk", "date": "2024-05-16", "version": 2, "id": "bf39c3a3-b191-4d42-8738-9d9797bd0c3a", "description": "The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. This behavior is identified by monitoring Kubernetes Audit logs for the creation event of a DaemonSet. DaemonSets ensure a specific pod runs on every node, making them a potential vector for persistent access. This activity is significant for a SOC as it could indicate an attempt to maintain persistent access to the Kubernetes infrastructure. If confirmed malicious, it could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "DaemonSet deployed to Kubernetes by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=daemonsets verb=create | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_daemonset_deployed_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_daemonset_deployed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Falco Shell Spawned", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 2, "id": "d2feef92-d54a-4a19-8306-b47c6ceba5b2", "description": "The following analytic detects instances where a shell is spawned within a Kubernetes container. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment and flags when a shell is spawned. This activity is significant for a SOC as it may indicate unauthorized access, allowing an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges. If confirmed malicious, this could lead to data breaches, service disruptions, or unauthorized access to sensitive information, severely impacting the Kubernetes infrastructure's integrity and security.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A shell is spawned in the container $container_name$ by user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_container_falco` \"A shell was spawned in a container\" | fillnull | stats count by container_image container_image_tag container_name parent proc_exepath process user | `kubernetes_falco_shell_spawned_filter`", "how_to_implement": "The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_container_falco", "definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_falco_shell_spawned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen TCP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-15", "version": 2, "id": "13f081d6-7052-428a-bbb0-892c79ca7c65", "description": "The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen TCP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_tcp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes newly seen UDP edge", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "49b7daca-4e3c-4899-ba15-9a175e056fa9", "description": "The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes newly seen UDP edge in kubernetes cluster $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current=\"True\" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current=\"false\" ] | eventstats values(current) as current by source.workload.name dest.workload.name | search current=\"true\" current!=\"false\" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`", "how_to_implement": "To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\n* Name sim_npm_metrics_to_metrics_index\n* Metric Resolution 10000", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_newly_seen_udp_edge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Nginx Ingress LFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "description": "The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Local File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "fields_list": null}]}, {"name": "Kubernetes Nginx Ingress RFI", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 4, "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "description": "The following analytic detects remote file inclusion (RFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs from the Nginx ingress controller, parsing fields such as `remote_addr`, `request`, and `url` to identify suspicious activity. This activity is significant because RFI attacks can allow attackers to execute arbitrary code or access sensitive files on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the Kubernetes environment.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Remote File Inclusion Attack detected on $host$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1212"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes Node Port Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "d7fc865e-b8a1-4029-a960-cf4403b821b6", "description": "The following analytic detects the creation of a Kubernetes NodePort service, which exposes a service to the external network. It identifies this activity by monitoring Kubernetes Audit logs for the creation of NodePort services. This behavior is significant for a SOC as it could allow an attacker to access internal services, posing a threat to the Kubernetes infrastructure's integrity and security. If confirmed malicious, this activity could lead to data breaches, service disruptions, or unauthorized access to sensitive information.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes node port creation from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"objectRef.resource\"=services verb=create requestObject.spec.type=NodePort | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind requestObject.spec.type responseStatus.code sourceIPs{} stage user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_node_port_creation_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_node_port_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod Created in Default Namespace", "author": "Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 2, "id": "3d6b1a81-367b-42d5-a925-6ef90b6b9f1e", "description": "The following analytic detects the creation of Kubernetes pods in the default, kube-system, or kube-public namespaces. It leverages Kubernetes audit logs to identify pod creation events within these specific namespaces. This activity is significant for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Unauthorized pod creation in these namespaces can suggest a successful cluster breach, potentially leading to privilege escalation, persistent access, or further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes Pod Created in Default Namespace by $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN (\"default\", \"kube-system\", \"kube-public\") | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_created_in_default_namespace_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_created_in_default_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Pod With Host Network Attachment", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 2, "id": "cce357cf-43a4-494a-814b-67cea90fe990", "description": "The following analytic detects the creation or update of a Kubernetes pod with host network attachment. It leverages Kubernetes Audit logs to identify pods configured with host network settings. This activity is significant for a SOC as it could allow an attacker to monitor all network traffic on the node, potentially capturing sensitive information and escalating privileges. If confirmed malicious, this could lead to unauthorized access, data breaches, and service disruptions, severely impacting the security and integrity of the Kubernetes environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes pod with host network attachment from user $user$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` objectRef.resource=pods verb=create OR verb=update requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration=*\\\"hostNetwork\\\":true* | fillnull | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_pod_with_host_network_attachment_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_pod_with_host_network_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "fea515a4-b1d8-4cd6-80d6-e0d71397b891", "description": "The following analytic identifies the creation of containerized workloads using previously unseen images in a Kubernetes cluster. It leverages process metrics from an OTEL collector and Kubernetes cluster receiver, pulled from Splunk Observability Cloud. The detection compares container image names seen in the last hour with those from the previous 30 days. This activity is significant as unfamiliar container images may introduce vulnerabilities, malware, or misconfigurations, posing threats to the cluster's integrity. If confirmed malicious, compromised images can lead to data breaches, service disruptions, unauthorized access, and potential lateral movement within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Container Image Name on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-24h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"True\" | append [mstats count(k8s.container.ready) as k8s.container.ready_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name container.image.name | eval current=\"false\" ] | stats values(current) as current by host.name k8s.cluster.name k8s.node.name container.image.name | search current=\"true\" AND current!=\"false\" | rename host.name as host | `kubernetes_previously_unseen_container_image_name_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_container_image_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Previously Unseen Process", "author": "Matthew Moore, Splunk", "date": "2024-05-13", "version": 2, "id": "c8119b2f-d7f7-40be-940a-1c582870e8e2", "description": "The following analytic detects previously unseen processes within the Kubernetes environment on master or worker nodes. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud. This detection compares processes observed in the last hour against those seen in the previous 30 days. Identifying new processes is crucial as they may indicate unauthorized activity or attempts to compromise the node. If confirmed malicious, these processes could lead to data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware, posing significant risks to the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Previously Unseen Process on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name | eval current=\"True\" | append [mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.executable.name | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_previously_unseen_process_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_previously_unseen_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process Running From New Path", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "454076fb-0e9e-4adf-b93a-da132621c5e6", "description": "The following analytic identifies processes running from newly seen paths within a Kubernetes environment. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, and data is pulled from Splunk Observability Cloud using the Splunk Infrastructure Monitoring Add-on. This detection compares processes observed in the last hour with those seen over the previous 30 days. This activity is significant as it may indicate unauthorized changes, compromised nodes, or the introduction of malicious software. If confirmed malicious, it could lead to unauthorized process execution, control over critical resources, data exfiltration, privilege escalation, or malware introduction within the Kubernetes cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process Running From New Path on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name | eval current=\"True\" | append [ mstats count(process.memory.utilization) as process.memory.utilization_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by host.name k8s.cluster.name k8s.node.name process.pid process.executable.path process.executable.name ] | stats count values(current) as current by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name process.executable.path | where count=1 and current=\"True\" | rename host.name as host | `kubernetes_process_running_from_new_path_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_running_from_new_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "author": "Matthew Moore, Splunk", "date": "2024-05-27", "version": 2, "id": "25ca9594-7a0d-4a95-a5e5-3228d7398ec8", "description": "The following analytic identifies high resource utilization anomalies in Kubernetes processes. It leverages process metrics from an OTEL collector and hostmetrics receiver, fetched via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values to spot anomalies. This activity is significant as high resource utilization can indicate security threats like cryptojacking, unauthorized data exfiltration, or compromised containers. If confirmed malicious, such anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Anomalous Resource Utilisation on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | sort - count | where count > 5 | rename host.name as host | `kubernetes_process_with_anomalous_resource_utilisation_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_anomalous_resource_utilisation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource", "collection": "k8s_process_resource_baseline", "case_sensitive_match": null, "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key"}]}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "author": "Matthew Moore, Splunk", "date": "2024-05-30", "version": 2, "id": "0d42b295-0f1f-4183-b75e-377975f47c65", "description": "The following analytic detects anomalous changes in resource utilization ratios for processes running on a Kubernetes node. It leverages process metrics collected via an OTEL collector and hostmetrics receiver, analyzed through Splunk Observability Cloud. The detection uses a lookup table containing average and standard deviation values for various resource ratios (e.g., CPU:memory, CPU:disk operations). Significant deviations from these baselines may indicate compromised processes, malicious activity, or misconfigurations. If confirmed malicious, this could signify a security breach, allowing attackers to manipulate workloads, potentially leading to data exfiltration or service disruption.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Process with Resource Ratio Anomalies on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.*) as process.* where `kubernetes_metrics` by host.name k8s.cluster.name k8s.node.name process.executable.name span=10s | eval cpu:mem = 'process.cpu.utilization'/'process.memory.utilization' | eval cpu:disk = 'process.cpu.utilization'/'process.disk.operations' | eval mem:disk = 'process.memory.utilization'/'process.disk.operations' | eval cpu:threads = 'process.cpu.utilization'/'process.threads' | eval disk:threads = 'process.disk.operations'/'process.threads' | eval key = 'k8s.cluster.name' + \":\" + 'host.name' + \":\" + 'process.executable.name' | lookup k8s_process_resource_ratio_baseline key | fillnull | eval anomalies = \"\" | foreach stdev_* [ eval anomalies =if( '<>' > ('avg_<>' + 4 * 'stdev_<>'), anomalies + \"<> ratio higher than average by \" + tostring(round(('<>' - 'avg_<>')/'stdev_<>' ,2)) + \" Standard Deviations. <>=\" + tostring('<>') + \" avg_<>=\" + tostring('avg_<>') + \" 'stdev_<>'=\" + tostring('stdev_<>') + \", \" , anomalies) ] | eval anomalies = replace(anomalies, \",\\s$\", \"\") | where anomalies!=\"\" | stats count values(anomalies) as anomalies by host.name k8s.cluster.name k8s.node.name process.executable.name | where count > 5 | rename host.name as host | `kubernetes_process_with_resource_ratio_anomalies_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_process_with_resource_ratio_anomalies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios", "collection": "k8s_process_resource_ratio_baseline", "case_sensitive_match": null, "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen"}]}, {"name": "Kubernetes Scanner Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 2, "id": "4890cd6b-0112-4974-a272-c5c153aee551", "description": "The following analytic detects the pulling of known Kubernetes security scanner images such as kube-hunter, kube-bench, and kube-recon. It leverages Kubernetes logs ingested through Splunk Connect for Kubernetes, specifically monitoring for messages indicating the pulling of these images. This activity is significant because the use of security scanners can indicate an attempt to identify vulnerabilities within the Kubernetes environment. If confirmed malicious, this could lead to the discovery and exploitation of security weaknesses, potentially compromising the entire Kubernetes cluster.", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes Scanner image pulled on host $host$", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "author": "Patrick Bareiss, Splunk", "date": "2024-05-10", "version": 2, "id": "f9cadf4e-df22-4f4e-a08f-9d3344c2165d", "description": "The following analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues. If confirmed malicious, such scanning could lead to unauthorized access, data breaches, or further exploitation of the Kubernetes infrastructure, compromising the security and integrity of the environment.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Kubernetes scanning from ip $src_ip$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` \"user.groups{}\"=\"system:unauthenticated\" \"responseStatus.code\"=403 | iplocation sourceIPs{} | stats count values(userAgent) as userAgent values(user.username) as user.username values(user.groups{}) as user.groups{} values(verb) as verb values(requestURI) as requestURI values(responseStatus.code) as responseStatus.code values(responseStatus.message) as responseStatus.message values(responseStatus.reason) as responseStatus.reason values(responseStatus.status) as responseStatus.status by sourceIPs{} Country City | where count > 5 | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_scanning_by_unauthenticated_ip_address_filter`", "how_to_implement": "You must ingest Kubernetes audit logs.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanning_by_unauthenticated_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node", "author": "Matthew Moore, Splunk", "date": "2024-05-25", "version": 2, "id": "efebf0c4-dcf4-496f-85a2-5ab7ad8fa876", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It leverages process metrics from an OTEL collector hostmetrics receiver, specifically process.cpu.utilization and process.memory.utilization, pulled from Splunk Observability Cloud. This activity is significant as unauthorized shell processes can indicate potential security threats, providing attackers an entry point to compromise the node and the entire Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 OR process.memory.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "author": "Matthew Moore, Splunk", "date": "2024-05-11", "version": 2, "id": "cc1448e3-cc7a-4518-bc9f-2fa48f61a22b", "description": "The following analytic identifies shell activity within the Kubernetes privilege scope on a worker node, specifically when shell processes are consuming CPU resources. It leverages process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability Cloud via the Splunk Infrastructure Monitoring Add-on, focusing on process.cpu.utilization and process.memory.utilization. This activity is significant as unauthorized shell processes can indicate a security threat, potentially compromising the node and the entire Kubernetes cluster. If confirmed malicious, attackers could gain full control over the host's resources, leading to data theft, service disruption, privilege escalation, and further attacks within the cluster.", "references": ["https://github.com/signalfx/splunk-otel-collector-chart/tree/main"], "tags": {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Kubernetes shell with cpu activity running on worker node on host $host$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| mstats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization where `kubernetes_metrics` AND process.executable.name IN (\"sh\",\"bash\",\"csh\", \"tcsh\") by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name span=10s | search process.cpu.utilization>0 | stats avg(process.cpu.utilization) as process.cpu.utilization avg(process.memory.utilization) as process.memory.utilization by host.name k8s.cluster.name k8s.node.name process.pid process.executable.name | rename host.name as host | `kubernetes_shell_running_on_worker_node_with_cpu_activity_filter`", "how_to_implement": "To implement this detection, follow these steps:\n* Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.\n* Enable the hostmetrics/process receiver in the OTEL configuration.\n* Ensure that the process metrics, specifically Process.cpu.utilization and process.memory.utilization, are enabled.\n* Install the Splunk Infrastructure Monitoring (SIM) add-on. (ref: https://splunkbase.splunk.com/app/5247)\n* Configure the SIM add-on with your Observability Cloud Organization ID and Access Token.\n* Set up the SIM modular input to ingest Process Metrics. Name this input \"sim_process_metrics_to_metrics_index\".\n* In the SIM configuration, set the Organization ID to your Observability Cloud Organization ID.\n* Set the Signal Flow Program to the following: data('process.threads').publish(label='A'); data('process.cpu.utilization').publish(label='B'); data('process.cpu.time').publish(label='C'); data('process.disk.io').publish(label='D'); data('process.memory.usage').publish(label='E'); data('process.memory.virtual').publish(label='F'); data('process.memory.utilization').publish(label='G'); data('process.cpu.utilization').publish(label='H'); data('process.disk.operations').publish(label='I'); data('process.handles').publish(label='J'); data('process.threads').publish(label='K')\n* Set the Metric Resolution to 10000.\n* Leave all other settings at their default values.\n* Run the Search Baseline Of Kubernetes Container Network IO Ratio ", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kubernetes_metrics", "definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Suspicious Image Pulling", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 2, "id": "4d3a17b3-0a6d-4ae0-9421-46623a69c122", "description": "The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` requestObject.message=\"Pulling image*\" | search NOT `kube_allowed_images` | fillnull | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_suspicious_image_pulling_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_allowed_images", "definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster."}, {"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_suspicious_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Unauthorized Access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-21", "version": 2, "id": "9b5f1832-e8b9-453f-93df-07a3d6a72a45", "description": "The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster.", "references": ["https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"], "tags": {"analytic_story": ["Kubernetes Security"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Unauthorized access to Kubernetes from user $user$", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | stats count by objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code responseStatus.message sourceIPs{} stage user.groups{} user.uid user.username userAgent verb | rename sourceIPs{} as src_ip, user.username as user | `kubernetes_unauthorized_access_filter`", "how_to_implement": "The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md.", "known_false_positives": "unknown", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "kube_audit", "definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_unauthorized_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Add App Role Assignment Grant User", "author": "Rod Soto, Splunk", "date": "2024-05-19", "version": 3, "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the \"Add app role assignment grant to user\" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "User $user$ has created a new federation setting $modified_properties_name$ on $dest$", "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Added Service Principal", "author": "Rod Soto, Splunk", "date": "2024-05-27", "version": 4, "id": "1668812a-6047-11eb-ae93-0242ac130002", "description": "The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the `o365_management_activity` dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization's environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "8a1b22eb-50ce-4e26-a691-97ff52349569", "description": "The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages `o365_management_activity` logs, specifically focusing on the 'Add app role assignment to service principal' operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment to service principal.\" | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = \"ServicePrincipal\" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_admin_consent_bypassed_by_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Advanced Audit Disabled", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "49862dd4-9cb2-4c48-a542-8c8a588d9361", "description": "The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.", "references": ["https://attack.mitre.org/techniques/T1562/008/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Advanced auditing for user $object$ was disabled by $user$", "risk_score": 32, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Change user license.\" | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, \"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\" \"DisabledPlans=\\[(?P[^\\]]+)\\]\" | search DisabledPlans IN (\"*M365_ADVANCED_AUDITING*\") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_advanced_audit_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Application Registration Owner Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "c068d53f-6aaa-4558-8011-3734df878266", "description": "The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $app_displayName$ was assigned a new owner $object$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, user, app_displayName, object | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Application owners may be added for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_application_registration_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "49cdce75-f814-4d56-a7a4-c64ec3a481f2", "description": "The following analytic detects the assignment of the ApplicationImpersonation role in Office 365 to a user or application. It uses the Office 365 Management Activity API to monitor Azure Active Directory audit logs for role assignment events. This activity is significant because the ApplicationImpersonation role allows impersonation of any user, enabling access to and modification of their mailbox. If confirmed malicious, an attacker could gain unauthorized access to sensitive information, manipulate mailbox data, and perform actions as a legitimate user, posing a severe security risk to the organization.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://www.mandiant.com/media/17656"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "target_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted the ApplicationImpersonation role to $target_user$", "risk_score": 56, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-ManagementRoleAssignment\" Role=ApplicationImpersonation | rename User as target_user | stats max(_time) as lastTime by Operation, user, object, ObjectId, Role, target_user | `security_content_ctime(lastTime)` | `o365_applicationimpersonation_role_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_applicationimpersonation_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "12a23592-e3da-4344-8545-205d3290647c", "description": "The following analytic detects when the \"risk-based step-up consent\" security setting in Microsoft 365 is disabled. It monitors Azure Active Directory logs for the \"Update authorization policy\" operation, specifically changes to the \"AllowUserConsentForRiskyApps\" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats, allowing users to grant consent to malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.", "references": ["https://attack.mitre.org/techniques/T1562/", "https://goodworkaround.com/2020/10/19/a-look-behind-the-azure-ad-permission-classifications-preview/", "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-risk-based-step-up-consent", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Risk-based step-up consent security setting was disabled by $user$", "risk_score": 30, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update authorization policy.\" | eval index_number = if(mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\") >= 0, mvfind('ModifiedProperties{}.Name', \"AllowUserConsentForRiskyApps\"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('ModifiedProperties{}.NewValue',index_number) | where AllowUserConsentForRiskyApps like \"%true%\" | stats count min(_time) as firstTime max(_time) as lastTime by user, Operation, AllowUserConsentForRiskyApps, user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_block_user_consent_for_risky_apps_disabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_block_user_consent_for_risky_apps_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Bypass MFA via Trusted IP", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 4, "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "description": "The following analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. It leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. This activity is significant because adding trusted IPs can weaken the security posture by bypassing MFA, which is a critical security control. If confirmed malicious, this could lead to unauthorized access, compromising sensitive information and systems. Immediate investigation is required to validate the legitimacy of the IP addition.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/", "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Compliance Content Search Exported", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8", "description": "The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization's data security and compliance posture.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search export was started by $user$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=\"SearchExported\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_exported_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searche exports may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_compliance_content_search_exported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Compliance Content Search Started", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "f4cabbc7-c19a-4e41-8be5-98daeaccbb50", "description": "The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview", "https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions", "https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new compliance content search was started by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_compliance_content_search_started_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Compliance content searches may be executed for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_compliance_content_search_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Concurrent Sessions From Different Ips", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "58e034de-1f87-4812-9dc3-a4f68c7db930", "description": "The following analytic identifies user sessions in Office 365 accessed from multiple IP addresses, indicating potential adversary-in-the-middle (AiTM) phishing attacks. It detects this activity by analyzing Azure Active Directory logs for 'UserLoggedIn' operations and flags sessions with more than one associated IP address. This behavior is significant as it suggests unauthorized concurrent access, which is uncommon in normal usage. If confirmed malicious, the impact could include data theft, account takeover, and the launching of internal phishing campaigns, posing severe risks to organizational security.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ips", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ has logged in with the same session id from more than one unique IP address", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1185"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn | stats min(_time) as firstTime max(_time) as lastTime values(src_ip) as ips values(user_agent) as user_agents by Operation, user, SessionId | where mvcount(ips) > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unknown", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Disable MFA", "author": "Rod Soto, Splunk", "date": "2024-05-11", "version": 3, "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "description": "The following analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to MFA settings. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. If confirmed malicious, this activity could indicate an attacker attempting to maintain persistence or an insider threat, significantly increasing the risk of unauthorized access. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account.", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ has executed an operation $action$ for user $user$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "2246c142-a678-45f8-8546-aaed7e0efd30", "description": "The following analytic identifies the assignment of elevated mailbox permissions in an Office 365 environment via the Add-MailboxPermission operation. It leverages logs from the Exchange workload in the o365_management_activity data source, focusing on permissions such as FullAccess, ChangePermission, or ChangeOwner. This activity is significant as it indicates potential unauthorized access or control over mailboxes, which could lead to data exfiltration or privilege escalation. If confirmed malicious, attackers could gain extensive access to sensitive email data and potentially manipulate mailbox settings, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission", "https://learn.microsoft.com/en-us/exchange/recipients/mailbox-permissions?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest_user", "type": "User", "role": ["Victim"]}], "message": "Elevated mailbox permissions were assigned on $dest_user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission | search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner) | rename Identity AS dest_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_elevated_mailbox_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "FullAccess mailbox delegation may be assigned for legitimate purposes, filter as needed.", "datamodel": ["Change"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_elevated_mailbox_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Excessive Authentication Failures Alert", "author": "Rod Soto, Splunk", "date": "2024-05-18", "version": 3, "id": "d441364c-349c-453b-b55f-12eccab67cf9", "description": "The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the `o365_management_activity` dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Excessive SSO logon errors", "author": "Rod Soto, Splunk", "date": "2024-05-17", "version": 4, "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "description": "The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$.", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "6c382336-22b8-4023-9b80-1689e799f21f", "description": "The following analytic identifies instances where a user in the Office 365 environment grants consent to an application requesting file permissions for OneDrive or SharePoint. It leverages O365 audit logs, focusing on OAuth application consent events. This activity is significant because granting such permissions can allow applications to access, modify, or delete files, posing a risk if the application is malicious or overly permissive. If confirmed malicious, this could lead to data breaches, data loss, or unauthorized data manipulation, necessitating immediate investigation to validate the application's legitimacy and assess potential risks.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests file-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Files.Read\", \"Files.Read.All\", \"Files.ReadWrite\", \"Files.ReadWrite.All\", \"Files.ReadWrite.AppFolder\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require file permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_file_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "01a510b3-a6ac-4d50-8812-7e8a3cde3d79", "description": "The following analytic detects the assignment of the 'full_access_as_app' permission to an application registration in Office 365 Exchange Online. This detection leverages Office 365 management activity logs and filters Azure Active Directory workload events to identify when the specific permission, identified by GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is granted. This activity is significant because it provides extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. If confirmed malicious, this could lead to unauthorized data access, exfiltration, or account compromise. Immediate investigation is required.", "references": ["https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://attack.mitre.org/techniques/T1098/002/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned the full_access_as_app permission to the app registration $object$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098.002", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.ResourceAppId\"=\"00000002-0000-0ff1-ce00-000000000000\" \"{}.RequiredAppPermissions{}.EntitlementId\"=\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_fullaccessasapp_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 High Number Of Failed Authentications for User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "31641378-2fa9-42b1-948e-25e281cb98f7", "description": "The following analytic identifies an O365 account experiencing more than 20 failed authentication attempts within 5 minutes. It uses O365 Unified Audit Logs, specifically \"UserLoginFailed\" events, to monitor and flag accounts exceeding this threshold. This activity is significant as it may indicate a brute force attack or password guessing attempt. If confirmed malicious, an attacker could gain unauthorized access to the O365 environment, potentially compromising sensitive emails, documents, and other data. Prompt investigation and action are crucial to prevent unauthorized access and data breaches.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ failed to authenticate more than 10 times in the span of 5 minutes.", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1110", "T1110.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip by user, _time | where failed_attempts > 10 | `o365_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Although unusual, users who have lost their passwords may trigger this detection. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "O365 High Privilege Role Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "e78a1037-4548-4072-bb1b-ad99ae416426", "description": "The following analytic detects when high-privilege roles such as \"Exchange Administrator,\" \"SharePoint Administrator,\" or \"Global Administrator\" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide", "https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "$user$ granted high privilege roles to $ObjectId$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Add member to role.\" Workload=AzureActiveDirectory | eval role_id = mvindex('ModifiedProperties{}.NewValue',2) | eval role_name = mvindex('ModifiedProperties{}.NewValue',1) | where role_id IN (\"29232cdf-9323-42fd-ade2-1d097af3e4de\", \"f28a1f50-f6e7-4571-818b-6a12f2af6b6c\", \"62e90394-69f5-4237-9190-012177145e10\") | stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_high_privilege_role_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privilege roles may be assigned for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_high_privilege_role_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "fddad083-cdf5-419d-83c6-baa85e329595", "description": "The following analytic identifies instances where a user grants consent to an application requesting mail-related permissions within the Office 365 environment. It leverages O365 audit logs, specifically focusing on events related to application permissions and user consent actions. This activity is significant as it can indicate potential security risks, such as data exfiltration or spear phishing, if malicious applications gain access. If confirmed malicious, this could lead to unauthorized data access, email forwarding, or sending malicious emails from the compromised account. Validating the legitimacy of the application and consent context is crucial to prevent data breaches.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ consented an OAuth application that requests mail-related permissions.", "risk_score": 40, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions \"Scope: (?[^,]+)\" | makemv delim=\" \" Scope | search Scope IN (\"Mail.Read\", \"Mail.ReadBasic\", \"Mail.ReadWrite\", \"Mail.Read.Shared\", \"Mail.ReadWrite.Shared\", \"Mail.Send\", \"Mail.Send.Shared\") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_mail_permissioned_application_consent_granted_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mail_permissioned_application_consent_granted_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0b6bc75c-05d1-4101-9fc3-97e706168f24", "description": "The following analytic identifies instances where email forwarding has been enabled on mailboxes within an Office 365 environment. It detects this activity by monitoring the Set-Mailbox operation within the o365_management_activity logs, specifically looking for changes to the ForwardingAddress or ForwardingSmtpAddress parameters. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/", "https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Email forwarding configured by $user$ on mailbox $ObjectId$", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Set-Mailbox | eval match1=mvfind('Parameters{}.Name', \"ForwardingAddress\") | eval match2=mvfind('Parameters{}.Name', \"ForwardingSmtpAddress\") | where match1>= 0 OR match2>= 0 | eval ForwardTo=coalesce(ForwardingAddress, ForwardingSmtpAddress) | search ForwardTo!=\"\" | rename user_id as user | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ForwardTo) as ForwardTo by user ObjectId |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_mailbox_email_forwarding_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Email forwarding may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_email_forwarding_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "1435475e-2128-4417-a34f-59770733b0d5", "description": "The following analytic identifies instances where read permissions are assigned to mailbox folders within an Office 365 environment. It leverages the `o365_management_activity` data source, specifically monitoring the `ModifyFolderPermissions` and `AddFolderPermissions` operations, while excluding Calendar, Contacts, and PersonMetadata objects. This activity is significant as unauthorized read permissions can lead to data exposure and potential information leakage. If confirmed malicious, an attacker could gain unauthorized access to sensitive emails, leading to data breaches and compromising the confidentiality of organizational communications.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946", "https://learn.microsoft.com/en-us/purview/audit-mailboxes"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange (Operation=ModifyFolderPermissions OR Operation=AddFolderPermissions) Workload=Exchange object!=Calendar object!=Contacts object!=PersonMetadata | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, object, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_folder_read_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "cd15c0a8-470e-4b12-9517-046e4927db30", "description": "The following analytic identifies instances where read permissions are granted to mailbox folders within an Office 365 environment. It detects this activity by monitoring the `o365_management_activity` data source for the `Set-MailboxFolderPermission` and `Add-MailboxFolderPermission` operations. This behavior is significant as it may indicate unauthorized access or changes to mailbox folder permissions, potentially exposing sensitive email content. If confirmed malicious, an attacker could gain unauthorized access to read email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1098/002/", "https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxfolderpermission?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A folder was granted read permission by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange (Operation=\"Set-MailboxFolderPermission\" OR Operation=\"Add-MailboxFolderPermission\" ) | eval isReadRole=if(match(AccessRights, \"^(ReadItems|Author|NonEditingAuthor|Owner|PublishingAuthor|Reviewer)$\"), \"true\", \"false\") | search isReadRole=\"true\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Identity, AccessRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_folder_read_permission_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Mailbox folder permissions may be configured for legitimate purposes, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_folder_read_permission_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "21421896-a692-4594-9888-5faeb8a53106", "description": "The following analytic detects instances where the inbox folder of an Office 365 mailbox is shared with all users within the tenant. It leverages Office 365 management activity events to identify when the 'Inbox' folder permissions are modified to include 'Everyone' with read rights. This activity is significant as it represents a potential security risk, allowing unauthorized access to sensitive emails. If confirmed malicious, this could lead to data breaches, exfiltration of confidential information, and further compromise through spear-phishing or other malicious activities based on the accessed email content.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/", "https://learn.microsoft.com/en-us/purview/audit-mailboxes", "https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxodlgt/5610c6e6-3268-44e3-adff-8804f5315946"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "MailboxOwnerUPN", "type": "User", "role": ["Victim"]}], "message": "Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users.", "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1114", "T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=ModifyFolderPermissions Workload=Exchange object=Inbox Item.ParentFolder.MemberUpn=Everyone | eval isReadRole=if(match('Item.ParentFolder.MemberRights', \"(ReadAny)\"), \"true\", \"false\") | search isReadRole = \"true\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, UserId, object, MailboxOwnerUPN, Item.ParentFolder.MemberUpn, Item.ParentFolder.MemberRights | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_inbox_folder_shared_with_all_users_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_inbox_folder_shared_with_all_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Mailbox Read Access Granted to Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "27ab61c5-f08a-438a-b4d3-325e666490b3", "description": "The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://attack.mitre.org/techniques/T1114/002/", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://graphpermissions.merill.net/permission/Mail.Read"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Application registration $object$ was grandes mailbox read access by $user$", "risk_score": 45, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114", "T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) | eval json_data=replace(json_data, \"^\\[\\s*\", \"\") | eval json_data=replace(json_data, \"\\s*\\]$\", \"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\") | where isnotnull(match_found) | stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_mailbox_read_access_granted_to_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa", "description": "The following analytic identifies a spike in failed authentication attempts within an Office 365 environment, indicative of a potential distributed password spraying attack. It leverages UserLoginFailed events from O365 Management Activity logs, focusing on ErrorNumber 50126. This detection is significant as it highlights attempts to bypass security controls using multiple IP addresses and user agents. If confirmed malicious, this activity could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization. Early detection is crucial to prevent account takeovers and mitigate subsequent threats.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An anomalous multi source authentication spike ocurred at $_time$", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . \"-\" . user | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, values(user) as user, values(src_ip) as ips, values(user_agent) as user_agents by _time | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 | `o365_multi_source_failed_authentications_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.", "known_false_positives": "This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multi_source_failed_authentications_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "66adc486-224d-45c1-8e4d-9e7eeaba988f", "description": "The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.", "references": ["https://attack.mitre.org/techniques/T1078/", "https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/", "https://github.com/dafthack/MFASweep", "https://www.youtube.com/watch?v=SK1zgqaAZ2E"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed) | bucket span=5m _time | stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip | where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2 | `o365_multiple_appids_and_useragents_authentication_spike_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_appids_and_useragents_authentication_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Failed MFA Requests For User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fd22124e-dbac-4744-a8ce-be10d8ec3e26", "description": "The following analytic identifies potential \"MFA fatigue\" attacks targeting Office 365 users by detecting more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. It leverages O365 management activity logs, focusing on Azure Active Directory events with the UserLoginFailed operation, a Success ResultStatus, and an ErrorNumber of 500121. This activity is significant as attackers may exploit MFA fatigue to gain unauthorized access by overwhelming users with repeated MFA requests. If confirmed malicious, this could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation is crucial.", "references": ["https://attack.mitre.org/techniques/T1621/"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Multiple failed MFA requestes for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1621"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "7cd853e9-d370-412f-965d-a2bcff2a2908", "description": "The following analytic detects when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) within a short timeframe. It leverages 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. This activity is significant as it may indicate unauthorized mass email access, potentially signaling data exfiltration or account compromise. If confirmed malicious, attackers could gain access to sensitive information, leading to data breaches and further exploitation of compromised accounts. The threshold is set to flag over five unique mailboxes accessed within 10 minutes, but should be tailored to your environment.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, \"^Client=WebServices;ExchangeWebServices\"), 1, 0) | search (AppId=\"00000003-0000-0000-c000-000000000000\" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_mailboxes_accessed_via_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by SP", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe", "description": "The following analytic identifies instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in the Office 365 Azure Active Directory environment. This activity is significant as it may indicate a compromised or malicious service principal attempting to expand control or access within the network. If confirmed malicious, this could lead to unauthorized access and potential lateral movement within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"ServicePrincipal\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_service_principals_created_by_sp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multiple Service Principals Created by User", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "a34e65d0-54de-4b02-9db8-5a04522067f6", "description": "The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. It leverages O365 logs from the Unified Audit Log, focusing on the 'Add service principal' operation in Azure Active Directory. This activity is significant as it may indicate a compromised user account or unauthorized actions, potentially leading to broader network infiltration or privilege escalation. If confirmed malicious, this behavior could allow attackers to gain persistent access, escalate privileges, or exfiltrate sensitive information.", "references": ["https://attack.mitre.org/techniques/T1136/003/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Multiple OAuth applications were created by $src_user$ in a short period of time", "risk_score": 42, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1136.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal.\" | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = \"User\" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_service_principals_created_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 3, "id": "8d486e2e-3235-4cfe-ac35-0d042e24ecb4", "description": "The following analytic identifies instances where more than 10 unique user accounts fail to authenticate from a single IP address within a 5-minute window. This detection leverages O365 audit logs, specifically Azure Active Directory login failures (AzureActiveDirectoryStsLogon). Such activity is significant as it may indicate brute-force attacks or password spraying attempts. If confirmed malicious, this behavior suggests an external entity is attempting to breach security by targeting multiple accounts, potentially leading to unauthorized access. Immediate action is required to block or monitor the suspicious IP and notify affected users to enhance their security measures.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes.", "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ErrorNumber=50126 | bucket span=5m _time | stats dc(user) as unique_accounts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip | where unique_accounts > 10 | `o365_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "68469fd0-1315-44ba-b7e4-e92847bb76d6", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters like ForwardTo, ForwardAsAttachmentTo, and RedirectTo. This activity is significant as unauthorized email forwarding can lead to data exfiltration and unauthorized access to sensitive information. If confirmed malicious, attackers could intercept and redirect emails, potentially compromising confidential communications and leading to data breaches.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` (Operation=New-InboxRule OR Operation=set-InboxRule) | eval match1=mvfind('Parameters{}.Name', \"ForwardTo\") | eval match2=mvfind('Parameters{}.Name', \"ForwardAsAttachmentTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectTo\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ForwardTo=coalesce(ForwardTo, ForwardAsAttachmentTo, RedirectTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_email_forwarding_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Email Forwarding Rule Enabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ac7c4d0a-06a3-4278-aa59-88a5e537f981", "description": "The following analytic identifies the creation of new email forwarding rules in an Office 365 environment via the UpdateInboxRules operation. It leverages Office 365 management activity events to detect rules that forward emails to external recipients by examining the OperationProperties for specific forwarding actions. This activity is significant as it may indicate unauthorized email redirection, potentially leading to data exfiltration. If confirmed malicious, attackers could intercept sensitive communications, leading to data breaches and information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/003/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A forwarding email inbox rule was created for $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114", "T1114.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=UpdateInboxRules | eval match1=mvfind('OperationProperties{}.Value', \"ForwardToRecipientsAction\") | eval match2=mvfind('OperationProperties{}.Value', \"ForwardAsAttachmentToRecipientsAction\") | eval match3=mvfind('OperationProperties{}.Value', \"RedirectToRecipientsAction\") | eval index = mvfind('OperationProperties{}.Name', \"ServerRule\") | where match1>= 0 OR match2>= 0 OR match3>= 0 | eval ServerRule = mvindex('OperationProperties{}.Value', index-1) | spath input=ServerRule path=Actions{}.Recipients{}.Values{}.Value output=valueExtracted | mvexpand valueExtracted | search valueExtracted=\"*@*.*\" | eval ForwardTo=if(match(valueExtracted, \"^[^@]+@[^@]+\\\\.[^@]+$\"), valueExtracted, null) | dedup ForwardTo | where isnotnull(ForwardTo) | stats count min(_time) as firstTime max(_time) as lastTime values(Name) as Name by user Operation ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_email_forwarding_rule_enabled_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may create email forwarding rules for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_email_forwarding_rule_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Federated Domain Added", "author": "Rod Soto, Mauricio Velazco Splunk", "date": "2024-05-28", "version": 4, "id": "e155876a-6048-11eb-ae93-0242ac130002", "description": "The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation=\"Add-FederatedDomain\". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information. Immediate investigation is required to review the details of the added domain and any concurrent suspicious activities.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has added a new federated domain $new_value$", "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1136.003", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "289ed0a1-4c78-4a43-9321-44ea2e089c14", "description": "The following analytic detects the creation of new mail flow rules in Office 365 that may redirect or copy emails to unauthorized or external addresses. It leverages Office 365 Management Activity logs, specifically querying for the \"New-TransportRule\" operation and parameters like \"BlindCopyTo\", \"CopyTo\", and \"RedirectMessageTo\". This activity is significant as it can indicate potential data exfiltration or unauthorized access to sensitive information. If confirmed malicious, attackers could intercept or redirect email communications, leading to data breaches or information leakage.", "references": ["https://attack.mitre.org/techniques/T1114/", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rule-actions"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new forwarding mailflow rule was created by $user$", "risk_score": 42, "security_domain": "audit", "risk_severity": "low", "mitre_attack_id": ["T1114"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=Exchange Operation=\"New-TransportRule\" | eval match1=mvfind('Parameters{}.Name', \"BlindCopyTo\") | eval match2=mvfind('Parameters{}.Name', \"CopyTo\") | eval match3=mvfind('Parameters{}.Name', \"RedirectMessageTo\") | where match1>= 0 OR match2>= 0 OR match3>=0 | eval ForwardTo=coalesce(BlindCopyTo, CopyTo, RedirectMessageTo) | search ForwardTo!=\"\" | rename UserId as user | stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, user, Name, ForwardTo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_forwarding_mailflow_rule_created_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Forwarding mail flow rules may be created for legitimate reasons, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_forwarding_mailflow_rule_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 New MFA Method Registered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "4e12db1f-f7c7-486d-8152-a221cad6ac2b", "description": "The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account within Office 365. It leverages O365 audit logs to identify changes in MFA configurations. This activity is significant as it may indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges or access sensitive data. Immediate verification and remediation are required to secure the affected account.", "references": ["https://attack.mitre.org/techniques/T1098/005/", "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/", "https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html"], "tags": {"analytic_story": ["Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A new MFA method was added for $user$", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update user.\" | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | rex field=oldvalue max_match=0 \"(?i)(?\\\"MethodType\\\")\" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Users may register MFA methods legitimally, investigate and filter as needed.", "datamodel": ["Authentication"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_mfa_method_registered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "e600cf1a-0bef-4426-b42e-00176d610a4d", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS) using OAuth-authenticated applications. It leverages the ClientInfoString field to identify EWS interactions and aggregates metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. Monitoring OAuth applications accessing emails through EWS is crucial for identifying potential abuse or unauthorized data access. If confirmed malicious, this activity could lead to unauthorized email access, data exfiltration, or further compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString=\"^Client=WebServices;ExchangeWebServices\" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list.", "datamodel": ["Web"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_oauth_app_mailbox_access_via_ews_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "9db0d5b0-4058-4cb7-baaf-77d8143539a2", "description": "The following analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API using the client ID '00000003-0000-0000-c000-000000000000'. It leverages the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. This activity is significant as unauthorized access to emails can lead to data breaches and information theft. If confirmed malicious, attackers could exfiltrate sensitive information, compromise user accounts, and further infiltrate the organization’s network.", "references": ["https://attack.mitre.org/techniques/T1114/002/", "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/graph/permissions-reference"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.", "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_oauth_app_mailbox_access_via_graph_api_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Privileged Graph API Permission Assigned", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb", "description": "The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.", "references": ["https://cloudbrothers.info/en/azure-attack-paths/", "https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json", "https://learn.microsoft.com/en-us/graph/permissions-reference", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ assigned privileged Graph API permissions to $object$", "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application.\" | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search \"{}.RequiredAppPermissions{}.EntitlementId\"=\"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"06b708a9-e830-4db3-a914-8e69da51d44f\" OR \"{}.RequiredAppPermissions{}.EntitlementId\"=\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_privileged_graph_api_permission_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 PST export alert", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "description": "The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name \"eDiscovery search started or exported.\" This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Victim"]}], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Security And Compliance Alert Triggered", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 2, "id": "5b367cdd-8dfc-49ac-a9b7-6406cf27f33e", "description": "The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide", "https://learn.microsoft.com/en-us/purview/alert-policies"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Security and Compliance triggered an alert for $user$", "risk_score": 48, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered | spath input=Data path=f3u output=user | spath input=Data path=op output=operation | spath input=_raw path=wl | spath input=Data path=rid output=rule_id | spath input=Data path=ad output=alert_description | spath input=Data path=lon output=operation_name | spath input=Data path=an output=alert_name | spath input=Data path=sev output=severity | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_security_and_compliance_alert_triggered_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_security_and_compliance_alert_triggered_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Service Principal New Client Credentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a1b229e9-d962-4222-8c62-905a8a010453", "description": "The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application's identity.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "New credentials added for Service Principal $object$", "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_management_activity` Workload=AzureActiveDirectory Operation=\"Update application*Certificates and secrets management \" | stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "50eaabf8-5180-4e86-bfb2-011472c359fc", "description": "The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to organizational data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.", "references": ["https://attack.mitre.org/techniques/T1098/003/", "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/"], "tags": {"analytic_story": ["NOBELIUM Group", "Office 365 Persistence Mechanisms"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The $object$ application registration was granted tenant wide admin consent.", "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1098.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=\"Consent to application.\" | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field \"ConsentType: (?[^\\,]+)\" | rex field=new_field \"Scope: (?[^\\,]+)\" | search ConsentType = \"AllPrincipals\" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Legitimate applications may be granted tenant wide consent, filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_tenant_wide_admin_consent_granted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 User Consent Blocked for Risky Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "242e4d30-cb59-4051-b0cf-58895e218f40", "description": "The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This detection leverages O365 audit logs, specifically focusing on failed user consent actions due to system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that O365's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "O365 has blocked $user$ attempt to grant to consent to an application deemed risky.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Consent to application.\" ResultStatus=Failure | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | eval reason =mvindex('ModifiedProperties{}.NewValue', 5) | search reason = \"Risky application detected\" | rex field=permissions \"Scope: (?[^,]+)\" | stats max(_time) as lastTime by Operation, user, reason, object, Scope | `security_content_ctime(lastTime)` | `o365_user_consent_blocked_for_risky_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_user_consent_blocked_for_risky_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 User Consent Denied for OAuth Application", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "2d8679ef-b075-46be-8059-c25116cb1072", "description": "The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Office 365 environment. This detection leverages O365 audit logs, focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, it captures instances where users have actively rejected permission requests. This activity is significant as it may indicate users spotting potentially suspicious or unfamiliar applications. If confirmed malicious, it suggests an attempt by a potentially harmful application to gain unauthorized access, which was proactively blocked by the user.", "references": ["https://attack.mitre.org/techniques/T1528/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"analytic_story": ["Office 365 Account Takeover"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "User $user$ denifed consent for an OAuth application.", "risk_score": 30, "security_domain": "identity", "risk_severity": "low", "mitre_attack_id": ["T1528"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `o365_graph` status.errorCode=65004 | rename userPrincipalName as user | rename ipAddress as src_ip | stats max(_time) as lastTime by user src_ip appDisplayName status.failureReason | `security_content_ctime(lastTime)` | `o365_user_consent_denied_for_oauth_application_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events.", "known_false_positives": "OAuth applications that require mail permissions may be legitimate, investigate and filter as needed.", "datamodel": [], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "o365_graph", "definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_user_consent_denied_for_oauth_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "author": "Bhavin Patel", "date": "2024-05-24", "version": 2, "id": "161bc0ca-4651-4c13-9c27-27770660cf67", "description": "The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "Amazon Elastic Container Registry", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}], "message": "Correlation triggered for repository $risk_object$", "risk_score": 70, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Dev Sec Ops\" All_Risk.risk_object_type = \"other\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`", "how_to_implement": "Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security.", "known_false_positives": "Unknown", "datamodel": ["Risk"], "source": "cloud", "nes_fields": "user,dest", "macros": [{"name": "risk_rule_for_dev_sec_ops_by_repository_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "author": "Jason Brewer, Splunk", "date": "2020-07-21", "version": 2, "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "ASL AWS CreateAccessKey", "author": "Patrick Bareiss, Splunk", "date": "2022-05-23", "version": 1, "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Excessive Security Scanning", "author": "Patrick Bareiss, Splunk", "date": "2023-06-01", "version": 1, "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "user $identity.user.name$ has excessive number of api calls.", "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ASL AWS Password Policy Changes", "author": "Patrick Bareiss, Splunk", "date": "2023-05-22", "version": 1, "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\nThis search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Clients Connecting to Multiple DNS Servers", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Distinct DNS Connections, **Field:** dest_count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Cloud Network Access Control List Deleted", "author": "Peter Gael, Splunk", "date": "2020-09-08", "version": 1, "id": "021abc51-1862-41dd-ad43-43c739c0a983", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Correlation by Repository and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "description": "This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Correlation by User and Risk", "author": "Patrick Bareiss, Splunk", "date": "2021-09-06", "version": 1, "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "description": "The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event.", "references": [], "tags": {"analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Correlation triggered for user $user$", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1204.003", "T1204"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Activity Related to Pass the Hash Attacks", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "date": "2020-10-15", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect API activity from users without MFA", "author": "Bhavin Patel, Splunk", "date": "2018-05-17", "version": 1, "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** AWS User ARN, **Field:** userIdentity.arn\n* **Label:** AWS User Type, **Field:** userIdentity.type\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** First Time, **Field:** firstTime\n* **Label:** Last Time, **Field:** lastTime\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "references": [], "tags": {"analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app.\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`)", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "datamodel": ["Network_Resolution", "Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Long DNS TXT Record Response", "author": "Rico Valdez, Splunk", "date": "2020-07-21", "version": 2, "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Mimikatz Using Loaded Images", "author": "Patrick Bareiss, Splunk", "date": "2019-12-03", "version": 1, "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Cloud Federated Credential Abuse", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "author": "Rico Valdez, Splunk", "date": "2019-02-27", "version": 2, "id": "98917be2-bfc8-475a-8618-a9bb06575188", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "references": [], "tags": {"analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect new API calls from user roles", "author": "Bhavin Patel, Splunk", "date": "2018-04-16", "version": 1, "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect new user AWS Console Login", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "references": [], "tags": {"analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Spike in AWS API Activity", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** AWS Event Name, **Field:** eventName\n* **Label:** Number of API Calls, **Field:** numberOfApiCalls\n* **Label:** Unique API Calls, **Field:** uniqueApisCalled\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "None.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect Spike in Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 1, "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1562.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}], "lookups": []}, {"name": "Detect Spike in Security Group Activity", "author": "Bhavin Patel, Splunk", "date": "2018-04-18", "version": 1, "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}], "lookups": []}, {"name": "Detect USB device insertion", "author": "Bhavin Patel, Splunk", "date": "2017-11-27", "version": 1, "id": "104658f4-afdc-499f-9719-17a43f9826f5", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "datamodel": ["Change", "Change_Analysis"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect web traffic to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "description": "This search looks for web connections to dynamic DNS providers.", "references": [], "tags": {"analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "datamodel": ["Web"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detection of DNS Tunnels", "author": "Bhavin Patel, Splunk", "date": "2022-02-15", "version": 2, "id": "104658f4-afdc-499f-9719-17a43f9826f4", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "references": [], "tags": {"analytic_story": ["Command And Control", "Data Protection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Host Redirection", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS record changed", "author": "Jose Hernandez, Splunk", "date": "2020-07-21", "version": 3, "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "references": [], "tags": {"analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\".\n**Splunk>Phantom Playbook Integration**\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`)", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via procdump Rename", "author": "Michael Haag, Splunk", "date": "2021-02-01", "version": 1, "id": "21276daa-663d-11eb-ae93-0242ac130002", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "EC2 Instance Modified With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 3, "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "author": "Bhavin Patel, Splunk", "date": "2018-02-23", "version": 1, "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1535"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "author": "David Dorsey, Splunk", "date": "2018-03-12", "version": 1, "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "author": "David Dorsey, Splunk", "date": "2020-02-07", "version": 2, "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "EC2 Instance Started With Previously Unseen User", "author": "David Dorsey, Splunk", "date": "2020-07-21", "version": 2, "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "references": [], "tags": {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Execution of File With Spaces Before Extension", "author": "Rico Valdez, Splunk", "date": "2020-11-19", "version": 3, "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "references": [], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Extended Period Without Successful Netbackup Backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "First time seen command line argument", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 5, "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GCP Detect accounts with high risk roles by project", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "27af8c15-38b0-4408-b339-920170724adb", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Detect high risk permissions by resource and account", "author": "Rod Soto, Splunk", "date": "2020-10-09", "version": 1, "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "gcp detect oauth token abuse", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "GCP Kubernetes cluster scan detection", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "datamodel": ["Email"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Identify New User Accounts", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "references": [], "tags": {"analytic_story": [], "asset_type": "Domain Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kubernetes AWS detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "019690d7-420f-4da0-b320-f27b09961514", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-05-26", "version": 1, "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure pod scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes Azure scan fingerprint", "author": "Rod Soto, Splunk", "date": "2020-05-19", "version": 1, "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "references": [], "tags": {"analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1526"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "author": "Rod Soto, Splunk", "date": "2020-07-10", "version": 1, "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive object access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect sensitive role access", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a46923f6-36b9-4806-a681-31f314907c30", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "author": "Rod Soto, Splunk", "date": "2020-06-23", "version": 1, "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "author": "Rod Soto, Splunk", "date": "2020-07-11", "version": 1, "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "references": [], "tags": {"analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Monitor DNS For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2017-09-23", "version": 1, "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "datamodel": ["Network_Resolution"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "author": "Michael Haag, Mauricio Velazco, Rico Valdez, Splunk", "date": "2024-02-29", "version": 3, "id": "19cba45f-cad3-4032-8911-0c09e0444552", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Users Failing To Authenticate From Ip`. This analytic identifies multiple failed logon attempts from a single IP in a short period of time. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS", "https://developer.okta.com/docs/reference/api/system-log/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Okta Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Multple user accounts have failed to authenticate from a single IP.", "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=user.session.start outcome.result=FAILURE | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious Admin Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.003", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious Rights Delegation", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-15", "version": 2, "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Elevated Mailbox Permission Assigned`. This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another users mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executives mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another users mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access.", "references": ["https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", "https://attack.mitre.org/techniques/T1098/002/", "https://attack.mitre.org/techniques/T1114/002/"], "tags": {"analytic_story": ["Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114", "T1098.002", "T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.", "known_false_positives": "While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "O365 Suspicious User Email Forwarding", "author": "Patrick Bareiss, Splunk", "date": "2020-12-16", "version": 1, "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `O365 Mailbox Email Forwarding Enabled`. The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organizations data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the \"Identity\" field as \"src_user\" and searches for entries where the \"ForwardingSmtpAddress\" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules.", "references": [], "tags": {"analytic_story": ["Data Exfiltration", "Office 365 Collection Techniques"], "asset_type": "O365 Tenant", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1114.003", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Account Locked Out", "author": "Michael Haag, Splunk", "date": "2022-09-21", "version": 1, "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "$src_user$ account has been locked out.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) values(src_user) as user by src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Account Lockout Events", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-19", "version": 2, "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Accounts Locked Out`. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "The following user $src_user$ has locked out their account within Okta.", "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Failed SSO Attempts", "author": "Michael Haag, Rico Valdez, Splunk", "date": "2022-09-21", "version": 3, "id": "371a6545-2618-4032-ad84-93386b8698c5", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with this detection `Okta Unauthorized Access to Application - DM`. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ failed SSO authentication to the app.", "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "632663b0-4562-4aad-abe9-9f621a049738", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify Login failures with high unknown users count and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "author": "Okta, Inc, Michael Haag, Splunk", "date": "2023-03-09", "version": 1, "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta ThreatInsight Threat Detected`. The following analytic utilizes Oktas ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.001", "T1110.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Okta Two or More Rejected Okta Pushes", "author": "Michael Haag, Marissa Bower, Splunk", "date": "2022-09-27", "version": 1, "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "description": "**DEPRECATION NOTE** - This search has been deprecated and replaced with `Okta Multiple Failed MFA Requests For User`. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"analytic_story": ["Okta MFA Exhaustion", "Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "message": "$user$ account has rejected multiple Okta pushes.", "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "okta", "definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Open Redirect in Splunk Web", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Osquery pack - ColdRoot detection", "author": "Rico Valdez, Splunk", "date": "2019-01-29", "version": 1, "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Processes created by netsh", "author": "Bhavin Patel, Splunk", "date": "2020-11-23", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "references": [], "tags": {"analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Prohibited Software On Endpoint", "author": "David Dorsey, Splunk", "date": "2019-10-11", "version": 2, "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A", "Monitor for Unauthorized Software", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "prohibited_softwares", "definition": "search *", "description": "This macro is deprecated. Update this macro to look for prohibited softwares in your environment"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Reg exe used to hide files directories via registry keys", "author": "Bhavin Patel, Splunk", "date": "2019-02-27", "version": 2, "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None at the moment", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Registry Key modifications", "author": "Bhavin Patel, Splunk", "date": "2020-03-02", "version": 3, "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "description": "This search monitors for remote modifications to registry keys.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled tasks used in BadRabbit ransomware", "author": "Bhavin Patel, Splunk", "date": "2020-07-21", "version": 3, "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "references": [], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No known false positives", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Spectre and Meltdown Vulnerable Systems", "author": "David Dorsey, Splunk", "date": "2017-01-07", "version": 1, "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "references": [], "tags": {"analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "datamodel": ["Vulnerabilities"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Enterprise Information Disclosure", "author": "David Dorsey, Splunk", "date": "2018-06-14", "version": 1, "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "references": [], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Changes to File Associations", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 4, "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Email - UBA Anomaly", "author": "Bhavin Patel, Splunk", "date": "2020-07-22", "version": 3, "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "references": [], "tags": {"analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "datamodel": ["Email", "UEBA"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious File Write", "author": "Rico Valdez, Splunk", "date": "2019-04-25", "version": 3, "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "description": "The search looks for files created with names that have been linked to malicious activity.", "references": [], "tags": {"analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}], "lookups": []}, {"name": "Suspicious Powershell Command-Line Arguments", "author": "David Dorsey, Splunk", "date": "2021-01-19", "version": 6, "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "references": [], "tags": {"analytic_story": ["CISA AA22-320A", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 Rename", "author": "Michael Haag, Splunk", "date": "2022-04-07", "version": 5, "id": "7360137f-abad-473e-8189-acbdaa34d114", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1036", "T1218.011", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to System Volume Information", "author": "Rico Valdez, Splunk", "date": "2020-07-22", "version": 2, "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Uncommon Processes On Endpoint", "author": "David Dorsey, Splunk", "date": "2020-07-22", "version": 4, "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "references": [], "tags": {"analytic_story": ["Hermetic Wiper", "Unusual Processes", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsigned Image Loaded by LSASS", "author": "Patrick Bareiss, Splunk", "date": "2019-12-06", "version": 1, "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unsuccessful Netbackup backups", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "description": "This search gives you the hosts where a backup was attempted and then failed.", "references": [], "tags": {"analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Account Harvesting", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "datamodel": [], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "description": "This search is used to identify user accounts that share a common password.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "datamodel": [], "source": "deprecated", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows connhost exe started forcefully", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "author": "Michael Haag, Splunk", "date": "2023-11-07", "version": 3, "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows hosts file modification", "author": "Rico Valdez, Splunk", "date": "2018-11-02", "version": 1, "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "references": [], "tags": {"analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "datamodel": ["Endpoint"], "source": "deprecated", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "3CX Supply Chain Attack Network Indicators", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "description": "The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "datamodel": ["Network_Resolution"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "fields_list": null}]}, {"name": "7zip CommandLine To SMB Share Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "01d29b48-ff6f-11eb-b81e-acde48001123", "description": "The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Access LSASS Memory for Dump Creation", "author": "Patrick Bareiss, Splunk", "date": "2024-05-13", "version": 3, "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "description": "The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Account Discovery With Net App", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "date": "2024-05-22", "version": 5, "id": "339805ce-ac30-11eb-b87d-acde48001122", "description": "The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"analytic_story": ["IcedID", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or power user may used this series of command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Directory Lateral Movement Identified", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "description": "The following analytic identifies potential lateral movement activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to lateral movement has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Directory Privilege Escalation Identified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "description": "The following analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Active Setup Registry Autostart", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "f64579c0-203f-11ec-abcc-acde48001122", "description": "The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"StubPath\" value within the \"SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.014", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Add DefaultUser And Password In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "description": "The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Add or Set Windows Defender Exclusion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "773b66fe-4dd9-11ec-8289-acde48001122", "description": "The following analytic detects the use of commands to add or set exclusions in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"Add-MpPreference\" or \"Set-MpPreference\" with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected. If confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "AdsiSearcher Account Discovery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "de7fcadc-04f3-11ec-a241-acde48001122", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"AdsiSearcher\" used for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Allow File And Printing Sharing In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 4, "id": "ce27646e-d411-11eb-8a00-acde48001122", "description": "The following analytic detects the modification of firewall settings to allow file and printer sharing. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving 'netsh' commands that enable file and printer sharing. This activity is significant because it can indicate an attempt by ransomware to discover and encrypt files on additional machines connected to the compromised host. If confirmed malicious, this could lead to widespread file encryption across the network, significantly increasing the impact of a ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "0a46537c-be02-11eb-92ca-acde48001122", "description": "The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Azorult", "NjRAT", "PlugX", "Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5d85486-b89c-11eb-8267-acde48001122", "description": "The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like \"firewall,\" \"Inbound,\" \"Allow,\" and \"-LocalPort.\" This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious firewall modification detected on endpoint $dest$ by user $user$.", "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*firewall*\" ScriptBlockText = \"*Inbound*\" ScriptBlockText = \"*Allow*\" ScriptBlockText = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Allow Network Discovery In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "description": "The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.", "references": ["https://community.fortinet.com/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["BlackByte Ransomware", "NjRAT", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious modification to the firewall to allow network discovery detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.007", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Allow Operation with Consent Admin", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "description": "The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Anomalous usage of 7zip", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "description": "The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Any Powershell DownloadFile", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Phemedrone Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Any Powershell DownloadString", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 4, "id": "4d015ef2-7adf-11eb-95da-acde48001122", "description": "The following analytic detects the use of PowerShell's `DownloadString` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because `DownloadString` is commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "IcedID", "Ingress Tool Transfer", "Malicious PowerShell", "Phemedrone Stealer", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Attacker Tools On Endpoint", "author": "Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "description": "The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.", "references": [], "tags": {"analytic_story": ["CISA AA22-264A", "Monitor for Unauthorized Software", "SamSam Ransomware", "Unusual Processes", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036.005", "T1036", "T1003", "T1595"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempt To Add Certificate To Untrusted Store", "author": "Patrick Bareiss, Rico Valdez, Splunk", "date": "2024-05-12", "version": 8, "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "description": "The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.004", "T1553"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Attempt To Stop Security Service", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 5, "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "description": "The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the \"sc.exe\" command with the \"stop\" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Data Destruction", "Disabling Security Tools", "Graceful Wipe Out Attack", "Trickbot", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "fields_list": null}]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 8, "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "description": "The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Data Destruction", "Industroyer2", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Auto Admin Logon Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"AutoAdminLogon\" value within the \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Batch File Write to System32", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "date": "2024-05-19", "version": 5, "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "description": "The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BCDEdit Failure Recovery Modification", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "809b31d2-5462-11eb-ae93-0242ac130002", "description": "The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as \"recoveryenabled\" and \"no\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"analytic_story": ["Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BITS Job Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1197"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "BITSAdmin Download File", "author": "Michael Haag, Sittikorn S", "date": "2024-05-20", "version": 4, "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "description": "The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["BITS Jobs", "DarkSide Ransomware", "Flax Typhoon", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1197", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "415b4306-8bfb-11eb-85c4-acde48001122", "description": "The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-split` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate services, and its use to download files from remote locations is uncommon and potentially malicious. If confirmed, this behavior could indicate an attempt to download and execute malicious payloads, leading to potential system compromise and unauthorized data access.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkSide Ransomware", "Flax Typhoon", "Forest Blizzard", "Ingress Tool Transfer", "Living Off The Land", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "description": "The following analytic detects the use of `certutil.exe` to download files using the `-VerifyCtl` and `-split` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ingress Tool Transfer", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Certutil exe certificate extraction", "author": "Rod Soto, Splunk", "date": "2024-05-16", "version": 3, "id": "337a46be-600f-11eb-ae93-0242ac130002", "description": "The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CertUtil With Decode Argument", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "description": "The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Deobfuscate-Decode Files or Information", "Forest Blizzard", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1140"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Change Default File Association", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "462d17d8-1f71-11ec-ad07-acde48001122", "description": "The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under \"*\\\\shell\\\\open\\\\command\\\\*\" and \"*HKCR\\\\*\". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Prestige Ransomware", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1546.001", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Change To Safe Mode With Network Config", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "description": "The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CHCP Command Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "21d236ec-eec1-11eb-b23e-acde48001122", "description": "The following analytic detects the execution of the chcp.exe application, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where chcp.exe is executed by cmd.exe with specific command-line arguments. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"analytic_story": ["Azorult", "Forest Blizzard", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Check Elevated CMD using whoami", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "a9079b18-1633-11ec-859c-acde48001122", "description": "The following analytic identifies the execution of the 'whoami' command with specific parameters to check for elevated privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.", "references": [], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Child Processes of Spoolsv exe", "author": "Rico Valdez, Splunk", "date": "2024-05-15", "version": 4, "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "description": "The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clear Unallocated Sector Using Cipher App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "description": "The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may execute this app to manage disk", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clop Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 3, "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "description": "The following analytic identifies the execution of CLOP ransomware variants using specific arguments (\"runrun\" or \"temp.dat\") to trigger their malicious activities. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it indicates potential ransomware behavior, which can lead to file encryption on network shares or local machines. If confirmed malicious, this activity could result in significant data loss and operational disruption due to encrypted files, highlighting the need for immediate investigation and response.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Operators can execute third party tools using these parameters.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Clop Ransomware Known Service Name", "author": "Teoderick Contreras", "date": "2024-05-21", "version": 3, "id": "07e08a12-870c-11eb-b5f9-acde48001122", "description": "The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names (\"SecurityCenterIBM\", \"WinCheckDRVs\"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of a known Clop Ransomware Service Name detected on $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ServiceName StartType ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "CMD Carry Out String Command Parameter", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 5, "id": "54a6ed00-3256-11ec-b031-acde48001122", "description": "The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AsyncRAT", "Azorult", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Hermetic Wiper", "IcedID", "Living Off The Land", "Log4Shell CVE-2021-44228", "NjRAT", "PlugX", "ProxyNotShell", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Warzone RAT", "WhisperGate", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CMD Echo Pipe - Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "description": "The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.003", "T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "description": "The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-277A", "CISA AA23-347A", "DarkGate Malware", "FIN7", "Qakbot", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-05", "version": 2, "id": "f87b5062-b405-11eb-a889-acde48001122", "description": "The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"analytic_story": ["DarkSide Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Cobalt Strike Named Pipes", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "5876d429-0240-4709-8b93-ea8330b411b5", "description": "The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify specific named pipes commonly used by Cobalt Strike's Artifact Kit and Malleable C2 Profiles. This activity is significant because Cobalt Strike is a popular tool for adversaries to conduct post-exploitation tasks, and identifying its named pipes can reveal potential malicious activity. If confirmed malicious, this could indicate an active Cobalt Strike beacon, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "DarkSide Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name, process_id process_path, PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Common Ransomware Extensions", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "date": "2024-05-26", "version": 6, "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "description": "The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Common Ransomware Notes", "author": "David Dorsey, Splunk", "date": "2024-05-22", "version": 5, "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "description": "The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.", "references": [], "tags": {"analytic_story": ["Chaos Ransomware", "Clop Ransomware", "LockBit Ransomware", "Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "56a3ac65-e747-41f7-b014-dff7423c1dda", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") Filesystem.file_name IN (\"*.aspx\",\"*.ashx\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`", "how_to_implement": "This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "4e127857-1fc9-4c95-9d69-ba24c91d52d7", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A path traversal attack against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4663 ProcessName=*\\\\ScreenConnect.Service.exe file_path IN (\"*\\\\ScreenConnect\\\\App_Extensions\\\\*\") file_name IN (\"*.aspx\",\"*.ashx\") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`", "how_to_implement": "To implement the following query, enable SACL auditing for the ScreenConnect directory(ies). With this data, the following analytic will work correctly. A GIST is provided in the references to assist with enabling SACL Auditing.", "known_false_positives": "False positives should be limited as the analytic is specific to ScreenConnect path traversal attempts. Tune as needed, or restrict to specific hosts if false positives are encountered.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_path_traversal_windows_sacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Conti Common Exec parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "624919bc-c382-11eb-adcc-acde48001122", "description": "The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Control Loading from World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "description": "The following analytic identifies instances of control.exe loading a .cpl or .inf file from a writable directory, which is related to CVE-2021-40444. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate an attempt to exploit a known vulnerability, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to gain control over the affected system, leading to further compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create local admin accounts using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 10, "id": "b89919ed-fe5f-492c-b139-151bb162040e", "description": "The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the \"/add\" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.", "references": [], "tags": {"analytic_story": ["Azorult", "CISA AA22-257A", "DHS Report TA18-074A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create or delete windows shares using net exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-26", "version": 7, "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "description": "The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"analytic_story": ["CISA AA22-277A", "DarkGate Malware", "Hidden Cobra Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Create Remote Thread In Shell Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "10399c1e-f51e-11eb-b920-acde48001122", "description": "The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest |rename SourceImage as process_name| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Create Remote Thread into LSASS", "author": "Patrick Bareiss, Splunk", "date": "2024-05-26", "version": 2, "id": "67d4dbef-9564-4699-8da8-03a151529edc", "description": "The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon Event ID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, EventCode, TargetImage, TargetProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Creation of lsass Dump with Taskmgr", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "description": "The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category, process_name, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Creation of Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 3, "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "description": "The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "author": "Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 4, "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "description": "The following analytic detects the creation of shadow copies using \"wmic\" or \"Powershell\" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes \"shadowcopy\" and \"create\". This activity is significant because it may indicate an attacker attempting to manipulate or access data unauthorizedly, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 3, "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "description": "The following analytic detects the use of the copy command to dump credentials from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify processes with command lines referencing critical files like \"sam\", \"security\", \"system\", and \"ntds.dit\" in system directories. This activity is significant as it indicates an attempt to extract credentials, a common technique for unauthorized access and privilege escalation. If confirmed malicious, this could lead to attackers gaining sensitive login information, escalating privileges, moving laterally within the network, or accessing sensitive data.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "author": "Patrick Bareiss, Splunk", "date": "2024-05-20", "version": 3, "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "description": "The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing \"mklink\" and \"HarddiskVolumeShadowCopy\". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "CSC Net On The Fly Compilation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ea73128a-43ab-11ec-9753-acde48001122", "description": "The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027.004", "T1027"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Curl Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "900bc324-59f3-11ec-9fb4-acde48001122", "description": "The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant as it is commonly associated with malicious actions such as coinminers and exploitation of vulnerabilities like CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could lead to unauthorized code execution, system compromise, and further exploitation within the environment.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Delete ShadowCopy With PowerShell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "description": "The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like \"ShadowCopy,\" \"Delete,\" or \"Remove\" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"analytic_story": ["DarkGate Malware", "DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText |rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Deleting Of Net Users", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "description": "The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["DarkGate Malware", "Graceful Wipe Out Attack", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Deleting Shadow Copies", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 5, "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "description": "The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["CISA AA22-264A", "Chaos Ransomware", "Clop Ransomware", "DarkGate Malware", "LockBit Ransomware", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "SamSam Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect AzureHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "26f02e96-c300-11eb-b611-acde48001122", "description": "The following analytic detects the execution of the `Invoke-AzureHound` command-line argument, commonly used by the AzureHound tool. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because AzureHound is often used for reconnaissance in Azure environments, potentially exposing sensitive information. If confirmed malicious, this activity could allow an attacker to map out Azure Active Directory structures, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect AzureHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "1c34549e-c31b-11eb-996b-acde48001122", "description": "The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/Legacy-AzureHound.ps1/blob/master/AzureHound.ps1"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2024-05-15", "version": 2, "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "description": "The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the \"sudoedit -s \\\\\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the \"-s\" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "description": "The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both \"sudoedit\" and \"segfault\" terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "author": "Shannon Davis, Splunk", "date": "2024-05-13", "version": 2, "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "description": "The following analytic detects the execution of the \"sudoedit -s *\" command, which is associated with the Baron Samedit CVE-2021-3156 heap-based buffer overflow vulnerability. This detection leverages the `osquery_process` data source to identify instances where this specific command is run. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows privilege escalation. If confirmed malicious, an attacker could gain full control of the system, execute arbitrary code, or access sensitive data, leading to potential data breaches and system disruptions.", "references": [], "tags": {"analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Certify Command Line Arguments", "author": "Steven Dick", "date": "2024-05-25", "version": 2, "id": "e6d2dc61-a8b9-4b03-906c-da0ca75d71b8", "description": "The following analytic detects the use of Certify or Certipy tools to enumerate Active Directory Certificate Services (AD CS) environments. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with these tools. This activity is significant because it indicates potential reconnaissance or exploitation attempts targeting AD CS, which could lead to unauthorized access or privilege escalation. If confirmed malicious, attackers could gain insights into the AD CS infrastructure, potentially compromising sensitive certificates and escalating their privileges within the network.", "references": ["https://github.com/GhostPack/Certify", "https://github.com/ly4k/Certipy", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Certify/Certipy arguments detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certify_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "f533ca6c-9440-4686-80cb-7f294c07812a", "description": "The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.", "references": ["https://github.com/GhostPack/Certify", "https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Malicious PowerShell", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Certify arguments through PowerShell detected on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell..", "known_false_positives": "Unknown, partial script block matches.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certify_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Certipy File Modifications", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "7e3df743-b1d8-4631-8fa8-bd5819688876", "description": "The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.", "references": ["https://github.com/ly4k/Certipy"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious files $file_name$ related to Certipy detected on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649", "T1560"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action=\"allowed\" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action |`drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*_certipy.zip\", \"*_certipy.txt\", \"*_certipy.json\", \"*.ccache\") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` ] | fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_certipy_file_modifications_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_certipy_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Computer Changed with Anonymous Account", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-18", "version": 2, "id": "1400624a-d42d-484d-8843-e6753e6e3645", "description": "The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to \"ANONYMOUS LOGON\" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1210"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "9251299c-ea5b-11eb-a8de-acde48001122", "description": "The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND ScriptBlockText IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Credential Dumping through LSASS access", "author": "Patrick Bareiss, Splunk", "date": "2024-05-28", "version": 4, "id": "2c365e57-4414-4540-8dc0-73ab10729996", "description": "The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.", "references": [], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "message": "The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "description": "The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Excessive Account Lockouts From Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 9, "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "description": "The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\n**Splunk>Phantom Playbook Integration** If Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active.\nPlaybook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`)", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Excessive User Account Lockouts", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "description": "The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.", "references": [], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Excessive user account lockouts for $user$ in a short period of time", "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078", "T1078.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*lock*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Exchange Web Shell", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "date": "2024-05-21", "version": 6, "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "description": "The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "HAFNIUM Group", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest user file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest user file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Renamed", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 5, "id": "62fed254-513b-460e-953d-79771493a9f3", "description": "The following analytic detects instances where hh.exe (HTML Help) has been renamed and is executing a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because attackers can use renamed hh.exe to execute malicious scripts embedded in CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow attackers to run arbitrary scripts, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Spawn Child Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "description": "The following analytic detects the execution of hh.exe (HTML Help) spawning a child process, indicating the use of a Compiled HTML Help (CHM) file to execute Windows script code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where hh.exe is the parent process. This activity is significant as it may indicate an attempt to execute malicious scripts via CHM files, a known technique for bypassing security controls. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["AgentTesla", "Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "description": "The following analytic detects the execution of hh.exe (HTML Help) loading a Compiled HTML Help (CHM) file from a remote URL. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing URLs. This activity is significant as it can indicate an attempt to execute malicious scripts via CHM files, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to run scripts using engines like JScript or VBScript, leading to further system compromise or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "description": "The following analytic detects the execution of hh.exe (HTML Help) using InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it can be used to execute malicious scripts embedded within CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "8148c29c-c952-11eb-9255-acde48001122", "description": "The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect mshta inline hta execution", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2024-05-21", "version": 7, "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"mshta.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect mshta renamed", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 4, "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ executed by user $user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect MSHTA Url in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect New Local Admin account", "author": "David Dorsey, Splunk", "date": "2024-05-15", "version": 4, "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "description": "The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.", "references": [], "tags": {"analytic_story": ["CISA AA22-257A", "DHS Report TA18-074A", "HAFNIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Outlook exe writing a zip file", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 5, "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "description": "The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.", "references": [], "tags": {"analytic_story": ["Amadey", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Path Interception By Creation Of program exe", "author": "Patrick Bareiss, Splunk", "date": "2024-05-19", "version": 6, "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "description": "The following analytic identifies the creation of a program executable in an unquoted service path, a common technique for privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is 'services.exe'. This activity is significant because unquoted service paths can be exploited by attackers to execute arbitrary code with elevated privileges. If confirmed malicious, this could allow an attacker to gain higher-level access, potentially leading to full system compromise and persistent control over the affected endpoint.", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.009", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect processes used for System Network Configuration Discovery", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 3, "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "description": "The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.", "references": [], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}], "lookups": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-16", "version": 7, "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "description": "The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd_macro`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "prohibited_apps_launching_cmd_macro", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect PsExec With accepteula Flag", "author": "Bhavin Patel, Splunk", "date": "2024-05-23", "version": 5, "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "description": "The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network.", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "IcedID", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rare Executables", "author": "Bhavin Patel, Splunk", "date": "2024-05-21", "version": 5, "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "description": "The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.", "references": [], "tags": {"analytic_story": ["Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A rare process - [$process_name$] has been detected on less than 10 hosts in your environment.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RClone Command-Line Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "description": "The following analytic detects the usage of `rclone.exe` with specific command-line arguments indicative of file transfer activities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as `rclone.exe` is often used by adversaries for data exfiltration, especially during ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and potential loss of sensitive information. Immediate isolation of the affected endpoint and further investigation are recommended.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1020"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regasm Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "description": "The following analytic detects regasm.exe spawning a child process. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where regasm.exe is the parent process. This activity is significant because regasm.exe spawning a process is rare and can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["DarkGate Malware", "Living Off The Land", "Snake Keylogger", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN (\"conhost.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regasm with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "description": "The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Regasm with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "description": "The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvcs Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "description": "The following analytic identifies regsvcs.exe spawning a child process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is regsvcs.exe. This activity is significant because regsvcs.exe rarely spawns child processes, and such behavior can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated suspicious activities.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvcs with Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "description": "The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon Event ID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 4, "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "description": "The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Regsvcs Regasm Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.009"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Regsvr32 Application Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "070e9b80-6252-11eb-ae93-0242ac130002", "description": "The following analytic identifies the abuse of Regsvr32.exe to proxy execution of malicious code, specifically detecting the loading of \"scrobj.dll\" by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line executions. This activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, often used in \"Squiblydoo\" attacks to bypass application control mechanisms. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Remote Access Software Usage File", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "3bf5541a-6a45-4fdc-b01d-59b899fff961", "description": "The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file for known a remote access software [$file_name$] was created on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime, values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage FileInfo", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "ccad96d7-a48c-4f13-8b9c-9f6a31cba454", "description": "The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A file attributes for known a remote access software [$process_name$] was detected on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`", "how_to_implement": "This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk.", "known_false_positives": "Known or approved applications used by the organization or usage of built-in functions.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_fileinfo_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Process", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "ffd5e001-2e34-48f4-97a2-26dc4bb08178", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process for a known remote access software $process_name$ was identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Renamed 7-Zip", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "4057291a-b8cf-11eb-95fe-acde48001122", "description": "The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed PSExec", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "683e6196-b8e8-11eb-9a79-acde48001122", "description": "The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware", "CISA AA22-320A", "DHS Report TA18-074A", "DarkGate Malware", "DarkSide Ransomware", "HAFNIUM Group", "Rhysida Ransomware", "SamSam Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed RClone", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "6dca1124-b3ec-11eb-9328-acde48001122", "description": "The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1020"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Renamed WinRAR", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "description": "The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"analytic_story": ["CISA AA22-277A", "Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RTLO In File Name", "author": "Steven Dick", "date": "2024-05-24", "version": 3, "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "description": "The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.002", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect RTLO In Process", "author": "Steven Dick", "date": "2024-05-29", "version": 3, "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "description": "The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.002", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Implementation in regions that use right to left in native language.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "description": "The following analytic detects the execution of rundll32.exe loading advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "description": "The following analytic detects the execution of rundll32.exe loading setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events and command-line arguments. This activity is significant as it indicates a potential application control bypass, allowing an attacker to execute arbitrary script code. If confirmed malicious, this technique could enable code execution, privilege escalation, or persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "description": "The following analytic detects the execution of rundll32.exe loading syssetup.dll via the LaunchINFSection function. This method is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions and process details. This activity is significant as it indicates a potential application control bypass, allowing script code execution from a file. If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation, persistence, or further network compromise. Investigate the script content, network connections, and any spawned child processes for further context.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Rundll32 Inline HTA Execution", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of \"rundll32.exe\" with inline protocol handlers such as \"JavaScript\", \"VBScript\", and \"About\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"analytic_story": ["Living Off The Land", "NOBELIUM Group", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound Command-Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "description": "The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible SharpHound command-Line arguments identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound File Modifications", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 4, "id": "42b4b438-beed-11eb-ba1d-acde48001122", "description": "The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential SharpHound file modifications identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect SharpHound Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 4, "id": "dd04b29a-beed-11eb-87bc-acde48001122", "description": "The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"analytic_story": ["Ransomware", "Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential SharpHound binary identified on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-27", "version": 2, "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "description": "The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 6, "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "description": "The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1059/", "https://redcanary.com/threat-detection-report/techniques/windows-command-shell/"], "tags": {"analytic_story": ["Azorult", "Emotet Malware DHS Report TA18-201A", "Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "cmd.exe launching script interpreters $process_name$ on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Webshell Exploit Behavior", "author": "Steven Dick", "date": "2024-05-20", "version": 3, "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "description": "The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a webshell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "HAFNIUM Group", "ProxyNotShell", "ProxyShell", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect WMI Event Subscription Persistence", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "description": "The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible malicious WMI Subscription created on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.003", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detection of tools built by NirSoft", "author": "Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "description": "The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as \"/stext\" and \"/scomma\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["Emotet Malware DHS Report TA18-201A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1072"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable AMSI Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "9c27ec42-d338-11eb-9044-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the \"AmsiEnable\" value to \"0x00000000\". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable AMSI Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender AntiVirus Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 5, "id": "aa4f695a-3024-11ec-9987-acde48001122", "description": "The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 5, "id": "2dd719ac-3021-11ec-97b4-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Enhanced Notification", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "dc65678c-301f-11ec-8e30-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may choose to disable windows defender AV", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender MpEngine Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 5, "id": "cc391750-3024-11ec-955a-acde48001122", "description": "The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Spynet Reporting", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 5, "id": "898debf4-3021-11ec-ba7c-acde48001122", "description": "The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Qakbot", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Defender Submit Samples Consent Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 5, "id": "73922ff8-3022-11ec-bf5e-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable ETW Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "description": "The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" with a value set to \"0x00000000\". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Disable ETW Through Registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Logs Using WevtUtil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "description": "The following analytic detects the execution of \"wevtutil.exe\" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "WevtUtil.exe used to disable Event Logging on $dest", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Registry Tool", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 6, "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "description": "The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Registry Tools on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "db596056-3019-11ec-a9ff-acde48001122", "description": "The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable problematic schedule task", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Security Logs Using MiniNt Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Show Hidden Files", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 6, "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Show Hidden Files' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\" )) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable UAC Remote Restriction", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 5, "id": "9928b732-210e-11ec-b65e-acde48001122", "description": "The following analytic detects the modification of the registry to disable UAC remote restriction by setting the \"LocalAccountTokenFilterPolicy\" value to \"0x00000001\". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\CurrentVersion\\\\Policies\\\\System*\". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"analytic_story": ["CISA AA23-347A", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows App Hotkeys", "author": "Steven Dick, Teoderick Contreras, Splunkk", "date": "2024-05-11", "version": 5, "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled 'Windows App Hotkeys' on $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows Behavior Monitoring", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "79439cae-9200-11eb-a4d3-acde48001122", "description": "The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "Ransomware", "RedLine Stealer", "Revil Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender real time behavior monitoring disabled on $dest", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disable Windows SmartScreen Protection", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 6, "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "description": "The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\", \"*\\\\Microsoft\\\\Windows\\\\System\\\\EnableSmartScreen\") Registry.registry_value_data IN (\"Off\", \"0\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "114c6bfe-9406-11ec-bcce-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Disabling CMD Application", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 6, "id": "ff86077c-9212-11eb-a1e6-acde48001122", "description": "The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling ControlPanel", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 6, "id": "6ae0148e-9215-11eb-a94a-acde48001122", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Defender Services", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 5, "id": "911eacdc-317f-11ec-ad30-acde48001122", "description": "The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["IcedID", "RedLine Stealer", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Firewall with Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 4, "id": "6860a62c-9203-11eb-9e05-acde48001122", "description": "The following analytic identifies the disabling of the firewall using the netsh application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include keywords like \"firewall,\" \"off,\" or \"disable.\" This activity is significant because disabling the firewall can expose the system to external threats, allowing malware to communicate with its command and control (C2) server. If confirmed malicious, this action could lead to unauthorized data exfiltration, further malware downloads, and broader network compromise.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling FolderOptions Windows Feature", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 6, "id": "83776de4-921a-11eb-868a-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Net User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "c0325326-acd6-11eb-98c2-acde48001122", "description": "The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling NoRun Windows App", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 6, "id": "de81bc46-9213-11eb-adc9-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Remote User Account Control", "author": "David Dorsey, Patrick Bareiss, Splunk", "date": "2024-05-18", "version": 5, "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "description": "The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.", "references": [], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Remcos", "Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling SystemRestore In Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 6, "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "description": "The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Task Manager", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 6, "id": "dac279bc-9202-11eb-b7fb-acde48001122", "description": "The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"analytic_story": ["NjRAT", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "author": "Dean Luxton", "date": "2024-05-19", "version": 3, "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "description": "The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1556"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid Registry.dest Registry.user| `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DLLHost with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 5, "id": "f1c07594-a141-11eb-8407-acde48001122", "description": "The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Exfiltration Using Nslookup App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "2452e632-9e0d-11eb-bacd-acde48001122", "description": "The following analytic identifies potential DNS exfiltration using the nslookup application. It detects specific command-line parameters such as query type (TXT, A, AAAA) and retry options, which are commonly used by attackers to exfiltrate data. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. This activity is significant as it may indicate an attempt to communicate with a Command and Control (C2) server or exfiltrate sensitive data. If confirmed malicious, this could lead to data breaches and unauthorized access to critical information.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "admin nslookup usage", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery with Dsquery", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery With Net App", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "98f6a534-04c2-11ec-96b2-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Account Discovery with Wmic", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "383572e0-04c5-11ec-bdcc-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Controller Discovery with Nltest", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "description": "The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Controller Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain controller discovery on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` (ScriptBlockText = \"*[adsisearcher]*\" AND ScriptBlockText = \"*(objectcategory=group)*\" AND ScriptBlockText = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Domain Group Discovery With Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "description": "The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "description": "The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Prestige Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Domain Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "description": "The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Download Files Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "58194e28-ae5e-11eb-8912-acde48001122", "description": "The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Phemedrone Stealer", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious files were downloaded with the Telegram application on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Drop IcedID License dat", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "description": "The following analytic detects the dropping of a suspicious file named \"license.dat\" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A process $process_name$ created a file $TargetFilename$ on host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "DSQuery Domain Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "cc316032-924a-11eb-91a2-acde48001122", "description": "The following analytic detects the execution of \"dsquery.exe\" with arguments targeting `TrustedDomain` queries directly from the command line. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments. This activity is significant as it often indicates domain trust discovery, a common step in lateral movement or privilege escalation by adversaries. If confirmed malicious, this could allow attackers to map domain trusts, potentially leading to further exploitation and unauthorized access to trusted domains.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via comsvcs DLL", "author": "Patrick Bareiss, Splunk", "date": "2024-05-25", "version": 3, "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "description": "The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "Credential Dumping", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Industroyer2", "Living Off The Land", "Prestige Ransomware", "Suspicious Rundll32 Activity", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Dump LSASS via procdump", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk. If confirmed malicious, an attacker could obtain credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and further compromise of the environment.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"analytic_story": ["CISA AA22-257A", "Credential Dumping", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Elevated Group Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query elevated domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Active Directory Discovery", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Elevated Group Discovery with PowerView", "author": "Mauricio Velazco, Splunk", "date": "2024-06-10", "version": 3, "id": "10d62950-0de5-4199-a710-cff9ea79b413", "description": "The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroupMember*\") AND ScriptBlockText IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Elevated Group Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments querying specific elevated domain groups. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes that access the LDAP namespace and search for groups like \"Domain Admins\" or \"Enterprise Admins.\" This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privilege accounts within Active Directory. If confirmed malicious, this behavior could lead to privilege escalation, allowing attackers to gain elevated access and control over critical network resources.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enable RDP In Other Port Number", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 5, "id": "99495452-b899-11eb-96dc-acde48001122", "description": "The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" and the \"PortNumber\" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enable WDigest UseLogonCredential Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 5, "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "description": "The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Credential Dumping", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wdigest registry $registry_path$ was modified in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Enumerate Users Local Group Using Telegram", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "description": "The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Telegram application has been identified enumerating local groups on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4798 CallerProcessName = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by user Computer EventCode CallerProcessName ProcessID SubjectUserSid SubjectDomainName SubjectLogonId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Esentutl SAM Copy", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d372f928-ce4f-11eb-a762-acde48001122", "description": "The following analytic detects the use of `esentutl.exe` to access credentials stored in the ntds.dit or SAM file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it may indicate an attempt to extract sensitive credential information, which is a common tactic in lateral movement and privilege escalation. If confirmed malicious, this could allow an attacker to gain unauthorized access to user credentials, potentially compromising the entire network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ETW Registry Disabled", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 5, "id": "8ed523ac-276b-11ec-ac39-acde48001122", "description": "The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.006", "T1127", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Eventvwr UAC Bypass", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-26", "version": 4, "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "description": "The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some false positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excel Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "42d40a22-9be3-11eb-8f08-acde48001122", "description": "The following analytic detects Microsoft Excel spawning PowerShell, an uncommon and suspicious behavior. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is \"excel.exe\" and the child process is PowerShell. This activity is significant because it is often associated with spearphishing attacks, where malicious attachments execute encoded PowerShell commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, privilege escalation, or persistent access within the environment.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excel Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "description": "The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is `excel.exe`. This activity is significant because it is uncommon and often associated with malicious actions, such as spearphishing attacks. If confirmed malicious, this could allow an attacker to execute scripts, potentially leading to code execution, data exfiltration, or further system compromise. Immediate investigation and mitigation are recommended.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Attempt To Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-04", "version": 2, "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "description": "The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where \"sc.exe\" is used with parameters like \"config\" or \"Disabled\" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive distinct processes from Windows Temp", "author": "Michael Hart, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "23587b6a-c479-11eb-b671-acde48001122", "description": "The following analytic identifies an excessive number of distinct processes executing from the Windows\\Temp directory. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths and counts within a 20-minute window. This behavior is significant as it often indicates the presence of post-exploit frameworks like Koadic and Meterpreter, which use this technique to execute malicious actions. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive File Deletion In WinDefender Folder", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-12", "version": 3, "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "description": "The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*\" | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Windows Defender AV updates may trigger this alert. Please adjust the filter macros to mitigate false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive number of service control start as disabled", "author": "Michael Hart, Splunk", "date": "2024-05-19", "version": 2, "id": "77592bec-d5cc-11eb-9e60-acde48001122", "description": "The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive number of taskhost processes", "author": "Michael Hart", "date": "2024-05-20", "version": 4, "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "description": "The following analytic identifies an excessive number of taskhost.exe and taskhostex.exe processes running within a short time frame. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and their counts. This behavior is significant as it is commonly associated with post-exploitation tools like Meterpreter and Koadic, which use multiple instances of these processes for actions such as discovery and lateral movement. If confirmed malicious, this activity could indicate an ongoing attack, allowing attackers to execute code, escalate privileges, or move laterally within the network.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 or taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Service Stop Attempt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "description": "The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage Of Cacls App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "0bdf6092-af17-11eb-939a-acde48001122", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Prestige Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage Of Net App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "45e52536-ae42-11eb-b5c6-acde48001122", "description": "The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack", "Prestige Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Post-Exploitation", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1531"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive Usage of NSLOOKUP App", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "date": "2024-05-15", "version": 3, "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "description": "The following analytic detects excessive usage of the nslookup application, which may indicate potential DNS exfiltration attempts. It leverages Sysmon EventCode 1 to monitor process executions, specifically focusing on nslookup.exe. The detection identifies outliers by comparing the frequency of nslookup executions against a calculated threshold. This activity is significant as it can reveal attempts by malware or APT groups to exfiltrate data via DNS queries. If confirmed malicious, this behavior could allow attackers to stealthily transfer sensitive information out of the network, bypassing traditional data exfiltration defenses.", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive Usage Of SC Service Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "description": "The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Azorult", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Excessive Usage Of SC Service Utility", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Excessive Usage Of Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "fe5bca48-accb-11eb-a67c-acde48001122", "description": "The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CISA AA22-264A", "CISA AA22-277A", "NjRAT", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Exchange PowerShell Abuse via SSRF", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "29228ab4-0762-11ec-94aa-acde48001122", "description": "The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Exchange PowerShell Module Usage", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 6, "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "description": "The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "CISA AA22-277A", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Executable File Written in Administrative SMB Share", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 4, "id": "f63c34fe-a435-11eb-935a-acde48001122", "description": "The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "Prestige Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "$src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.exe\",\"*.dll\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode ShareName RelativeTargetName ObjectType AccessMask src_user src_port IpAddress | `security_content_ctime(firstTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Executables Or Script Creation In Suspicious Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "description": "The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public\\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "NjRAT", "PlugX", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Snake Keylogger", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Execute Javascript With Jscript COM CLSID", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "dc64d064-d346-11eb-8588-acde48001122", "description": "The following analytic detects the execution of JavaScript using the JScript.Encode CLSID (COM Object) by cscript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as it is a known technique used by ransomware, such as Reddot, to execute malicious scripts and potentially disable AMSI (Antimalware Scan Interface). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Execution of File with Multiple Extensions", "author": "Rico Valdez, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "description": "The following analytic detects the execution of files with multiple extensions, such as \".doc.exe\" or \".pdf.exe\". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "DarkGate Malware", "Masquerading - Rename System Utilities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process", "Attacker"]}], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1036.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Extraction of Registry Hives", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "description": "The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "File with Samsam Extension", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 2, "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "description": "The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Firewall Allowed Program Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "description": "The following analytic detects the modification of a firewall rule to allow the execution of a specific application. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events with command-line arguments related to firewall rule changes. This activity is significant as it may indicate an attempt to bypass firewall restrictions, potentially allowing unauthorized applications to communicate over the network. If confirmed malicious, this could enable an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the target environment.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Azorult", "BlackByte Ransomware", "NjRAT", "PlugX", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "First Time Seen Child Process of Zoom", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "description": "The following analytic identifies the first-time execution of child processes spawned by Zoom (zoom.exe or zoom.us). It leverages Endpoint Detection and Response (EDR) data, specifically monitoring process creation events and comparing them against previously seen child processes. This activity is significant because the execution of unfamiliar child processes by Zoom could indicate malicious exploitation or misuse of the application. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the endpoint.", "references": [], "tags": {"analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "case_sensitive_match": null, "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}]}, {"name": "First Time Seen Running Windows Service", "author": "David Dorsey, Splunk", "date": "2024-05-21", "version": 5, "id": "823136f2-d755-4b6d-ae04-372b486a5808", "description": "The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.", "references": [], "tags": {"analytic_story": ["NOBELIUM Group", "Orangeworm Attack Group", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "case_sensitive_match": null, "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}]}, {"name": "FodHelper UAC Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 3, "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "description": "The following analytic detects the execution of fodhelper.exe, which is known to exploit a User Account Control (UAC) bypass by leveraging specific registry keys. The detection method uses Endpoint Detection and Response (EDR) telemetry to identify when fodhelper.exe spawns a child process and accesses the registry keys. This activity is significant because it indicates a potential privilege escalation attempt by an attacker. If confirmed malicious, the attacker could execute commands with elevated privileges, leading to unauthorized system changes and potential full system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"analytic_story": ["IcedID", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious registy keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112", "T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Fsutil Zeroing File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "description": "The following analytic detects the execution of the 'fsutil' command with the 'setzerodata' parameter, which zeros out a target file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is a technique used by ransomware, such as LockBit, to evade detection by erasing its malware path after encrypting the host. If confirmed malicious, this action could hinder forensic investigations and allow attackers to cover their tracks, complicating incident response efforts.", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible file data deletion on $dest$ using $process$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADDefaultDomainPasswordPolicy` cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can indicate attempts by adversaries to gather information about domain policies for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain security settings.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "description": "The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"Get-ADDefaultDomainPasswordPolicy\" to query domain password policy on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get ADUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-ADUser` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to identify high-value targets and plan subsequent attacks.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "21432e40-04f4-11ec-b7e6-acde48001122", "description": "The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"get-aduser\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-ADUserResultantPasswordPolicy` cmdlet, which is used to obtain the password policy in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential enumeration of domain policies, a common tactic for situational awareness and Active Directory discovery by adversaries. If confirmed malicious, this could allow attackers to understand password policies, aiding in further attacks such as password spraying or brute force attempts.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "737e1eb0-065a-11ec-921a-acde48001122", "description": "The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline to query domain user password policy detected on host - $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get DomainPolicy with Powershell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "b8f9947e-065a-11ec-aafb-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` running the `Get-DomainPolicy` cmdlet, which is used to retrieve password policies in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this could lead to unauthorized access to sensitive domain configurations, aiding in privilege escalation and lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get DomainPolicy with Powershell Script Block", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "4fa7f846-054a-11ec-a836-acde48001122", "description": "The following analytic identifies the execution of the Get-DomainTrust command from PowerView using PowerShell, which is used to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential reconnaissance efforts by an adversary to understand domain trust relationships, which can inform lateral movement strategies. If confirmed malicious, this could allow attackers to map out the network, identify potential targets, and plan further attacks, potentially compromising additional systems within the domain.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "89275e7e-0548-11ec-bf75-acde48001122", "description": "The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get DomainUser with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to enumerate domain users via the `Get-DomainUser` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams using PowerView for Active Directory discovery. If confirmed malicious, this could allow attackers to gain situational awareness and identify valuable targets within the domain, potentially leading to further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get DomainUser with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 4, "id": "61994268-04f4-11ec-865c-acde48001122", "description": "The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell process having commandline \"*Get-DomainUser*\" for user enumeration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command via PowerShell, commonly used by adversaries to gather domain trust information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying this activity is crucial as it indicates potential reconnaissance efforts to map out domain trusts, which can inform further attacks. If confirmed malicious, this activity could allow attackers to understand domain relationships, aiding in lateral movement and privilege escalation within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "description": "The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Get WMIObject Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "5434f670-155d-11ec-8cca-acde48001122", "description": "The following analytic detects the use of the `Get-WMIObject Win32_Group` command executed via PowerShell to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Identifying local groups can be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out group memberships, aiding in further exploitation or unauthorized access to sensitive resources.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "69df7f7c-155d-11ec-a055-acde48001122", "description": "The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System group discovery enumeration on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetAdComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdComputer` commandlet, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it indicates potential reconnaissance efforts by adversaries to map out domain computers, which is a common step in the attack lifecycle. If confirmed malicious, this behavior could allow attackers to gain situational awareness and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetAdComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 4, "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "description": "The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetAdGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-AdGroup` commandlet, which is used to query domain groups in a Windows Domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an adversary or Red Team enumerating domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetAdGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "description": "The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetCurrent User with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments invoking the `GetCurrent` method of the WindowsIdentity .NET class. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use this method to identify the logged-in user on a compromised endpoint, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this could allow attackers to gain insights into user context, potentially facilitating further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetCurrent User with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "80879283-c30f-44f7-8471-d1381f6d437a", "description": "The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainComputer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize `Get-DomainComputer` to discover remote systems. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as `Get-DomainComputer` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to map out the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainComputer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "f64da023-b988-4775-8d57-38e512beb56e", "description": "The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainController with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-DomainController` command, which is used to discover remote systems within a Windows domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it may indicate an attempt to enumerate domain controllers, a common tactic in Active Directory discovery. If confirmed malicious, this activity could allow attackers to gain situational awareness, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery using PowerView on $dest$ by $user$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainController with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "676b600a-a94d-4951-b346-11329431e6c1", "description": "The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetDomainGroup with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that query for domain groups using `Get-DomainGroup`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. Monitoring this activity is crucial as `Get-DomainGroup` is part of PowerView, a tool often used by adversaries for domain enumeration and situational awareness. If confirmed malicious, this activity could allow attackers to gain insights into domain group structures, aiding in further exploitation and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery with PowerView on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetDomainGroup with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "description": "The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetLocalUser with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "85fae8fa-0427-11ec-8b78-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with the `Get-LocalUser` commandlet, which is used to query local user accounts. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant because adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify potential targets for further exploitation or privilege escalation within the environment.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetLocalUser with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "description": "The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "description": "The following analytic identifies the execution of `powershell.exe` with the `Get-NetTcpConnection` command, which lists current TCP connections on a system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is significant as it may indicate an adversary or Red Team performing network reconnaissance or situational awareness. If confirmed malicious, this activity could allow attackers to map network connections, aiding in lateral movement or further exploitation within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "091712ff-b02a-4d43-82ed-34765515d95d", "description": "The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $Computer$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet to discover remote systems, specifically targeting the `DS_Computer` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain computers and gather situational awareness within Active Directory. If confirmed malicious, this behavior could allow attackers to map the network, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "df275a44-4527-443b-b884-7600e066e3eb", "description": "The following analytic identifies the execution of `powershell.exe` with command-line arguments used to query domain groups via the `Get-WmiObject` cmdlet and the `-class ds_group` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this could allow attackers to gain insights into the domain structure, aiding in further attacks and privilege escalation.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 3, "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "22d3b118-04df-11ec-8fa3-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments used to query domain users via the `Get-WmiObject` cmdlet and `-class ds_user` parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 4, "id": "fabd364e-04f3-11ec-b34b-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "powershell process having commandline for user enumeration detected on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that utilize the `Get-WmiObject` cmdlet and the `Win32_UserAccount` parameter to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate user accounts for situational awareness or Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "640b0eda-0429-11ec-accd-acde48001122", "description": "The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "2c853856-a140-11eb-a5b5-acde48001122", "description": "The following analytic detects the execution of gpupdate.exe without command line arguments and with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them, especially with network activity, is often associated with malicious software like Cobalt Strike. If confirmed malicious, this activity could indicate an attacker leveraging gpupdate.exe for lateral movement, command and control, or other nefarious purposes, potentially leading to system compromise.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "C2", "type": "IP Address", "role": ["Attacker"]}], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Headless Browser Mockbin or Mocky Request", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "94fc85a1-e55b-4265-95e1-4b66730e05c0", "description": "The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the \"--headless\" and \"--disable-gpu\" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications.", "references": ["https://mockbin.org/", "https://www.mocky.io/"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1564.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\" AND (Processes.process=\"*mockbin.org/*\" OR Processes.process=\"*mocky.io/*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "headless_browser_mockbin_or_mocky_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Headless Browser Usage", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "869ba261-c272-47d7-affe-5c0aa85c93d6", "description": "The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the \"--headless\" and \"--disable-gpu\" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.", "references": ["https://cert.gov.ua/article/5702579"], "tags": {"analytic_story": ["Forest Blizzard"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Behavior related to headless browser usage detected on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1564.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "headless_browser_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hide User Account From Sign-In Screen", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 5, "id": "834ba832-ad89-11eb-937d-acde48001122", "description": "The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" with a value of \"0x00000000\". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Warzone RAT", "Windows Registry Abuse", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hiding Files And Directories With Attrib exe", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 6, "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "description": "The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the \"+h\" flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.", "references": [], "tags": {"analytic_story": ["Azorult", "Windows Defense Evasion Tactics", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222", "T1222.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`hiding_files_and_directories_with_attrib_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "High Frequency Copy Of Files In Network Share", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "40925f12-4709-11ec-bb43-acde48001122", "description": "The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "High frequency copy of document into a network share from $src_ip$ by $src_user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1537"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=5145 RelativeTargetName IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") ObjectType=File ShareName IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") AccessMask= \"0x2\" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "This behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "High Process Termination Frequency", "author": "Teoderick Contreras", "date": "2024-05-12", "version": 3, "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "description": "The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware", "LockBit Ransomware", "Rhysida Ransomware", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Hunting 3CXDesktopApp Software", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "description": "The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance $process_name$ was identified on endpoint $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Icacls Deny Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "description": "The following analytic detects instances where an adversary modifies security permissions of a file or directory using commands like \"icacls.exe\", \"cacls.exe\", or \"xcacls.exe\" with deny options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and impede access to critical files. If confirmed malicious, this could allow attackers to maintain persistence and hinder incident response efforts.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Azorult", "Sandworm Tools", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/deny*\", \"*/D*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ICACLS Grant Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "description": "The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["Ransomware", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/grant*\", \"*/G*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "IcedID Exfiltrated Archived File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "0db4da70-f14b-11eb-8043-acde48001122", "description": "The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $TargetFilename$ on host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 4, "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "description": "The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, and `atexec.py`, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "description": "The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "description": "The following analytic detects the use of Impacket's `wmiexec.py` tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "Data Destruction", "Graceful Wipe Out Attack", "Industroyer2", "Prestige Ransomware", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 5, "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "description": "The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An interactive session was opened on a remote endpoint from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Java Class File download by Java User Agent", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "8281ce42-5c50-11ec-82d2-acde48001122", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from a remote site. It leverages web or proxy logs within the Web Datamodel to detect this activity. This behavior is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, an attacker could exploit vulnerabilities in the Java application, potentially leading to remote code execution and further compromise of the affected system.", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Java Writing JSP File", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "eb65619c-4f8d-4383-a975-d352765d344b", "description": "The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Spring4Shell CVE-2022-22965", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Jscript Execution Using Cscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "002f1e24-146e-11ec-a470-acde48001122", "description": "The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant because JScript files are typically executed by wscript.exe, making cscript.exe execution unusual and potentially indicative of malicious activity, such as the FIN7 group's tactics. If confirmed malicious, this activity could allow attackers to execute arbitrary scripts, leading to code execution, data exfiltration, or further system compromise.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Kerberoasting spn request with RC4 encryption", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 6, "id": "5cc67381-44fa-4111-8a37-7a230943f027", "description": "The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4769 ServiceName!=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "0cb847ee-9423-11ec-b2df-acde48001122", "description": "The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User Name", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled for $user$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "59b51620-94c9-11ec-b3d5-acde48001122", "description": "The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "7d90f334-a482-11ec-908c-acde48001122", "description": "The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "18916468-9c04-11ec-bdc6-acde48001122", "description": "The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ | stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_tgt_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Kerberos User Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "description": "The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential Kerberos based user enumeration attack $src_ip$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1589", "T1589.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4768 Status=0x6 TargetUserName!=\"*$\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by src_ip | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1| `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Known Services Killed by Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "description": "The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "param1", "type": "Other", "role": ["Other"]}], "message": "Known services $param1$ terminated by a potential ransomware on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7036 param1 IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") param2=\"stopped\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "description": "The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within \"/etc/ssh/*\" or \"~/.ssh/*\" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Add Files In Known Crontab Directories", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "023f3452-5f27-11ec-bf00-acde48001122", "description": "The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Add User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "description": "The following analytic detects the creation of new user accounts on Linux systems using commands like \"useradd\" or \"adduser.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create user account on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Adding Crontab Using List Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "description": "The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Gomir", "Industroyer2", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab list command $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux apt-get Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "description": "The following analytic detects the execution of the 'apt-get' command with elevated privileges using 'sudo' on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a user may be attempting to escalate privileges to root, which could lead to unauthorized system control. If confirmed malicious, an attacker could gain root access, allowing them to execute arbitrary commands, install or remove software, and potentially compromise the entire system.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux APT Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-22", "version": 2, "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "description": "The following analytic detects the use of the Advanced Package Tool (APT) with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux At Allow Config File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "977b3082-5f3d-11ec-b954-acde48001122", "description": "The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the \"at\" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux At Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with \"at\" or \"atd\". This activity is significant because the \"At\" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "At application was executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.002", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux AWK Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-26", "version": 2, "id": "4510cae0-96a2-4840-9919-91d262db210a", "description": "The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include \"sudo,\" \"awk,\" and \"BEGIN*system\" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Busybox Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-27", "version": 2, "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "description": "The following analytic detects the execution of BusyBox with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where BusyBox is executed with both 'sh' and 'sudo' commands. This activity is significant because it indicates a user may be attempting to gain root access, bypassing standard security controls. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and potential persistence within the environment.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux c89 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-30", "version": 2, "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "description": "The following analytic detects the execution of the 'c89' command with elevated privileges, which can be used to compile and execute C programs as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute arbitrary commands as root. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute any command with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux c99 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "description": "The following analytic detects the execution of the c99 utility with sudo privileges, which can lead to privilege escalation on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of the c99 utility to gain root access, which is critical for maintaining system security. If confirmed malicious, this could allow an attacker to execute commands as root, potentially compromising the entire system and accessing sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Change File Owner To Root", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1400ea2-6257-11ec-ad49-acde48001122", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may change ownership to root on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222.002", "T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Clipboard Data Copy", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "description": "The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1115"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Common Process For Elevation Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "description": "The following analytic identifies the execution of common Linux processes used for elevation control, such as `chmod`, `chown`, and `setuid`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ with process $process_name$ on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Composer Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "description": "The following analytic detects the execution of the Composer tool with elevated privileges on a Linux system. It identifies instances where Composer is run with the 'sudo' command, allowing the user to execute system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to unauthorized root access. If confirmed malicious, an attacker could gain full control over the system, execute arbitrary commands, and compromise sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Cpulimit Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "description": "The following analytic detects the use of the 'cpulimit' command with specific flags ('-l', '-f') executed with 'sudo' privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because if 'cpulimit' is granted sudo rights, a user can potentially execute system commands as root, leading to privilege escalation. If confirmed malicious, this could allow an attacker to gain root access, execute arbitrary commands, and fully compromise the affected system.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Csvtool Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-20", "version": 2, "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "description": "The following analytic detects the execution of the 'csvtool' command with 'sudo' privileges, which can allow a user to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain unauthorized root access. If confirmed malicious, this could lead to full system compromise, allowing an attacker to execute arbitrary commands, escalate privileges, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Curl Upload File", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "description": "The following analytic detects the use of the curl command with specific switches (-F, --form, --upload-file, -T, -d, --data, --data-raw, -I, --head) to upload AWS credentials or configuration files to a remote destination. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to exfiltrate sensitive AWS credentials, a technique known to be used by the TeamTNT group. If confirmed malicious, this could lead to unauthorized access and potential compromise of AWS resources.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Data Exfiltration", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Data Destruction Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "description": "The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux DD File Overwrite", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "description": "The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Decode Base64 to Shell", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "description": "The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like \"base64 -d\" and \"base64 --decode\" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1059.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "description": "The following analytic detects the deletion of critical directories on a Linux machine using the `rm` command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Cron Jobs", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "description": "The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the \"/etc/cron.*\" directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Init Daemon Script", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "description": "The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Init daemon script deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion Of Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "description": "The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AcidRain", "AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Deletion of SSL Certificate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "839ab790-a60a-4f81-bfb3-02567063f615", "description": "The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "SSL certificate deleted on host $dest$ by process GUID- $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Disable Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "description": "The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" with commands containing \"disable.\" This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Doas Conf File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "f6343e86-6e09-11ec-9376-acde48001122", "description": "The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Doas Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "d5a62490-6e09-11ec-884e-acde48001122", "description": "The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Docker Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "description": "The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Edit Cron Table Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "0d370304-5f26-11ec-a4bb-acde48001122", "description": "The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible crontab edit command $process$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Emacs Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "description": "The following analytic detects the execution of Emacs with elevated privileges using the `sudo` command and the `--eval` option. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by running Emacs with elevated permissions. If confirmed malicious, this could allow an attacker to execute arbitrary commands as root, leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Created In Kernel Driver Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "b85bbeec-6326-11ec-9311-acde48001122", "description": "The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Creation In Init Boot Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "description": "The following analytic detects the creation of files in Linux init boot directories, which are used for automatic execution upon system startup. It leverages file system logs to identify new files in directories such as /etc/init.d/ and /etc/rc.d/. This activity is significant as it is a common persistence technique used by adversaries, malware authors, and red teamers. If confirmed malicious, this could allow an attacker to maintain persistence on the compromised host, potentially leading to further exploitation and unauthorized control over the system.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1037.004", "T1037"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux File Creation In Profile Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46ba0082-61af-11ec-9826-acde48001122", "description": "The following analytic detects the creation of files in the /etc/profile.d directory on Linux systems. It leverages filesystem data to identify new files in this directory, which is often used by adversaries for persistence by executing scripts upon system boot. This activity is significant as it may indicate an attempt to maintain long-term access to the compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges each time the system boots, potentially leading to further compromise and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.004", "T1546"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Find Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-28", "version": 2, "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "description": "The following analytic detects the use of the 'find' command with 'sudo' and '-exec' options, which can indicate an attempt to escalate privileges on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line arguments. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could enable an attacker to gain full control over the system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux GDB Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "description": "The following analytic detects the execution of the GNU Debugger (GDB) with specific flags that indicate an attempt to escalate privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where GDB is run with the `-nx`, `-ex`, and `sudo` flags. This activity is significant because it can allow a user to execute system commands as root, potentially leading to a root shell. If confirmed malicious, this could result in full system compromise, allowing an attacker to gain complete control over the affected endpoint.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Gem Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-24", "version": 2, "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "description": "The following analytic detects the execution of the RubyGems utility with elevated privileges, specifically when it is used to run system commands as root. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"gem open -e\" and \"sudo\". This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as the root user. If confirmed malicious, this could lead to full system compromise, enabling the attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux GNU Awk Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-16", "version": 2, "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "description": "The following analytic detects the execution of the 'gawk' command with elevated privileges on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry to identify command-line executions where 'gawk' is used with 'sudo' and 'BEGIN{system' patterns. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full root access, enabling the attacker to control the system, modify critical files, and maintain persistent access.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Hardware Addition SwapOff", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "description": "The following analytic detects the execution of the \"swapoff\" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ swap off paging device in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1200"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "description": "The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "9d867448-2aff-4d07-876c-89409a752ff8", "description": "The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Impair Defenses Process Kill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "description": "The following analytic identifies the execution of the 'pkill' command, which is used to terminate processes on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because threat actors often use 'pkill' to disable security defenses or terminate critical processes, facilitating further malicious actions. If confirmed malicious, this behavior could lead to the disruption of security applications, enabling attackers to evade detection and potentially corrupt or destroy files on the targeted system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Indicator Removal Clear Cache", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "description": "The following analytic detects processes that clear or free page cache on a Linux system. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line executions involving the kernel system request `drop_caches`. This activity is significant as it may indicate an attempt to delete forensic evidence or the presence of wiper malware like Awfulshred. If confirmed malicious, this behavior could allow an attacker to cover their tracks, making it difficult to investigate other malicious activities or system compromises.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Indicator Removal Service File Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "description": "The following analytic detects the deletion of Linux service unit configuration files by suspicious processes. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes executing the 'rm' command targeting '.service' files. This activity is significant as it may indicate malware attempting to disable critical services or security products, a common defense evasion tactic. If confirmed malicious, this behavior could lead to service disruption, security tool incapacitation, or complete system compromise, severely impacting the integrity and availability of the affected Linux host.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ingress Tool Transfer Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "description": "The following analytic detects the use of 'curl' and 'wget' commands within a Linux environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, user information, and command-line executions. This activity is significant as 'curl' and 'wget' are commonly used for downloading files, which can indicate potential ingress of malicious tools. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Monitoring and tuning this detection helps identify and differentiate between normal and potentially harmful usage.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ingress Tool Transfer with Curl", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "description": "The following analytic detects the use of the curl command with specific switches (-O, -sO, -ksO, --output) commonly used to download remote scripts or binaries. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to download and execute potentially malicious files, often used in initial stages of an attack. If confirmed malicious, this could lead to unauthorized code execution, enabling attackers to compromise the system further.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "18b5a1a0-6326-11ec-943a-acde48001122", "description": "The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "387b278a-6326-11ec-aa2c-acde48001122", "description": "The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may install kernel module on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Iptables Firewall Modification", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "description": "The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process name - $process_name$ that may modify iptables firewall on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Java Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "7b09db8a-5c20-11ec-9945-acde48001122", "description": "The following analytic detects instances where Java, Apache, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Spring4Shell CVE-2022-22965"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Kernel Module Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "6df99886-0e04-4c11-8b88-325747419278", "description": "The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082", "T1014"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Kworker Process In Writable Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "description": "The following analytic detects the execution of a kworker process with a command line in writable directories such as /home/, /var/log, and /tmp on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process paths. This activity is significant as kworker processes are typically kernel threads, and their presence in writable directories is unusual and indicative of potential malware, such as CyclopsBlink. If confirmed malicious, this could allow attackers to blend malicious processes with legitimate ones, leading to persistent access and further system compromise.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ with kworker commandline in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036.004", "T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Make Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "80b22836-5091-4944-80ee-f733ac443f4f", "description": "The following analytic detects the use of the 'make' command with elevated privileges to execute system commands as root, potentially leading to a root shell. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include 'make', '--eval', and 'sudo'. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux MySQL Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "c0d810f4-230c-44ea-b703-989da02ff145", "description": "The following analytic detects the execution of MySQL commands with elevated privileges using sudo, which can lead to privilege escalation. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential misuse of MySQL to execute system commands as root, which could allow an attacker to gain root shell access. If confirmed malicious, this could result in full control over the affected system, leading to severe security breaches and unauthorized access to sensitive data.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "description": "The following analytic detects the use of Ngrok on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments associated with Ngrok. This activity is significant because Ngrok can be used by adversaries to establish reverse proxies, potentially bypassing network defenses. If confirmed malicious, this could allow attackers to create persistent, unauthorized access channels, facilitating data exfiltration or further exploitation of the compromised system.", "references": ["https://ngrok.com/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Node Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-29", "version": 2, "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "description": "The following analytic identifies the execution of Node.js with elevated privileges using sudo, specifically when spawning child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific Node.js commands. This activity is significant because running Node.js as a superuser without dropping privileges can allow unauthorized access to the file system and potential privilege escalation. If confirmed malicious, this could enable an attacker to maintain privileged access, execute arbitrary code, and compromise sensitive data within the environment.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "description": "The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing \"NOPASSWD:\". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "description": "The following analytic detects the use of the base64 decode command on Linux systems, which is often used to deobfuscate files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include \"base64 -d\" or \"base64 --decode\". This activity is significant as it may indicate an attempt to hide malicious payloads or scripts. If confirmed malicious, an attacker could use this technique to execute hidden code, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Octave Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-18", "version": 2, "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "description": "The following analytic detects the execution of GNU Octave with elevated privileges, specifically when it runs system commands via sudo. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments that include \"octave-cli,\" \"--eval,\" \"system,\" and \"sudo.\" This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands, severely impacting system security and integrity.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux OpenVPN Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "description": "The following analytic detects the execution of OpenVPN with elevated privileges, specifically when combined with the `--dev`, `--script-security`, `--up`, and `sudo` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute system commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access and execute arbitrary commands with elevated privileges.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "description": "The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux PHP Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "description": "The following analytic detects the execution of PHP commands with elevated privileges on a Linux system. It identifies instances where PHP is used in conjunction with 'sudo' and 'system' commands, indicating an attempt to run system commands as the root user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments. This activity is significant because it can indicate an attempt to escalate privileges, potentially leading to full root access. If confirmed malicious, this could allow an attacker to execute arbitrary commands with root privileges, compromising the entire system.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux pkexec Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "description": "The following analytic detects the execution of `pkexec` without any command-line arguments. This behavior leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry. The significance lies in the fact that this pattern is associated with the exploitation of CVE-2021-4034 (PwnKit), a critical vulnerability in Polkit's pkexec component. If confirmed malicious, this activity could allow an attacker to gain full root privileges on the affected Linux system, leading to complete system compromise and potential unauthorized access to sensitive information.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "7a85eb24-72da-11ec-ac76-acde48001122", "description": "The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004", "T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access To Credential Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "16107e0e-71fc-11ec-b862-acde48001122", "description": "The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.008", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Access To Sudoers File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "4479539c-71fc-11ec-b2e2-acde48001122", "description": "The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cat,\" \"nano,\" \"vim,\" and \"vi\" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Command To At Allow Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "7bc20606-5f40-11ec-a586-acde48001122", "description": "The following analytic detects suspicious command lines that append user entries to /etc/at.allow or /etc/at.deny files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving these files. This activity is significant because altering these configuration files can allow attackers to schedule tasks with elevated permissions, facilitating persistence on a compromised Linux host. If confirmed malicious, this could enable attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify at allow config file in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.002", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Command To Profile Config File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "9c94732a-61af-11ec-91e3-acde48001122", "description": "The following analytic detects suspicious command-lines that modify user profile files to automatically execute scripts or executables upon system reboot. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving profile files like ~/.bashrc and /etc/profile. This activity is significant as it indicates potential persistence mechanisms used by adversaries to maintain access to compromised hosts. If confirmed malicious, this could allow attackers to execute arbitrary code upon reboot, leading to persistent control over the system and potential further exploitation.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may modify profile files in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.004", "T1546"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "description": "The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Cronjob Modification With Editor", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano,\" \"vi,\" or \"vim.\" It identifies this activity by monitoring command-line executions that interact with cronjob configuration paths. This behavior is significant for a SOC as it may indicate attempts at privilege escalation or establishing persistent access. If confirmed malicious, the impact could be severe, allowing attackers to execute damaging actions such as data theft, system sabotage, or further network penetration.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.003", "T1053"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Possible Ssh Key File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "c04ef40c-72da-11ec-8eac-acde48001122", "description": "The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004", "T1098"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Preload Hijack Library Calls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "cbe2ca30-631e-11ec-8670-acde48001122", "description": "The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may hijack library function on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.006", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Proxy Socks Curl", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "description": "The following analytic detects the use of the `curl` command with proxy-related arguments such as `-x`, `socks`, `--preproxy`, and `--proxy`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an adversary attempting to use a proxy to evade network monitoring and obscure their actions. If confirmed malicious, this behavior could allow attackers to bypass security controls, making it difficult to track their activities and potentially leading to unauthorized data access or exfiltration.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1090", "T1095"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Puppet Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "description": "The following analytic detects the execution of Puppet commands with elevated privileges, specifically when Puppet is used to apply configurations with sudo rights. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access and execute system commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux RPM Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-21", "version": 2, "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "description": "The following analytic detects the execution of the RPM Package Manager with elevated privileges, specifically when it is used to run system commands as root via the `--eval` and `lua:os.execute` options. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, this could lead to full system compromise, unauthorized access to sensitive data, and further exploitation of the environment.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Ruby Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-25", "version": 2, "id": "097b28b5-7004-4d40-a715-7e390501788b", "description": "The following analytic detects the execution of Ruby commands with elevated privileges on a Linux system. It identifies processes where Ruby is used with the `-e` flag to execute commands via `sudo`, leveraging Endpoint Detection and Response (EDR) telemetry. This activity is significant because it indicates a potential privilege escalation attempt, allowing a user to execute commands as root. If confirmed malicious, this could lead to full system compromise, enabling an attacker to gain root access, execute arbitrary commands, and maintain persistent control over the affected system.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service File Created In Systemd Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "c7495048-61b6-11ec-9a37-acde48001122", "description": "The following analytic detects the creation of suspicious service files within the systemd directories on Linux platforms. It leverages logs containing file name, file path, and process GUID data from endpoints. This activity is significant for a SOC as it may indicate an adversary attempting to establish persistence on a compromised host. If confirmed malicious, this could lead to system compromise or data exfiltration, allowing attackers to maintain control over the system and execute further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service Restarted", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "084275ba-61b8-11ec-8d64-acde48001122", "description": "The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may create or start a service on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Service Started Or Enabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 3, "id": "e0428212-61b7-11ec-88a3-acde48001122", "description": "The following analytic detects the creation or enabling of services on Linux platforms using the systemctl or service tools. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names, parent processes, and command-line executions. This activity is significant as adversaries may create or modify services to maintain persistence or execute malicious payloads. If confirmed malicious, this behavior could lead to persistent access, data theft, ransomware deployment, or other damaging outcomes. Monitoring and investigating such activities are crucial for maintaining the security and integrity of the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Gomir", "Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may create or start a service on $dest", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.006", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") AND NOT (Processes.os=\"Microsoft Windows\" OR Processes.vendor_product=\"Microsoft Windows\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Setuid Using Chmod Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "description": "The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Setuid Using Setcap Utility", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "9d96022e-6250-11ec-9a19-acde48001122", "description": "The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that may set suid or sgid on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.001", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Shred Overwrite Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c1952cf1-643c-4965-82de-11c067cbae76", "description": "The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2", "Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A possible shred overwrite command $process$ executed on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sqlite3 Privilege Escalation", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "description": "The following analytic detects the execution of the sqlite3 command with elevated privileges, which can be exploited for privilege escalation. It leverages Endpoint Detection and Response (EDR) telemetry to identify instances where sqlite3 is used in conjunction with shell commands and sudo. This activity is significant because it indicates a potential attempt to gain root access, which could lead to full system compromise. If confirmed malicious, an attacker could execute arbitrary commands as root, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"analytic_story": ["Linux Living Off The Land", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux SSH Authorized Keys Modification", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "description": "The following analytic detects the modification of SSH Authorized Keys on Linux systems. It leverages process execution data from Endpoint Detection and Response (EDR) agents, specifically monitoring commands like \"bash\" and \"cat\" interacting with \"authorized_keys\" files. This activity is significant as adversaries often modify SSH Authorized Keys to establish persistent access to compromised endpoints. If confirmed malicious, this behavior could allow attackers to maintain unauthorized access, bypassing traditional authentication mechanisms and potentially leading to further exploitation or data exfiltration.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux SSH Remote Services Script Execute", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "description": "The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Stdout Redirection To Dev Null File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "description": "The following analytic detects command-line activities that redirect stdout or stderr to the /dev/null file. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This behavior is significant as it can indicate attempts to hide command outputs, a technique observed in the CyclopsBlink malware to conceal modifications to iptables firewall settings. If confirmed malicious, this activity could allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"analytic_story": ["Cyclops Blink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Stop Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "description": "The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"systemctl,\" \"service,\" and \"svcadm\" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sudo OR Su Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "description": "The following analytic detects the execution of the \"sudo\" or \"su\" command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because \"sudo\" and \"su\" commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ that execute sudo or su in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Sudoers Tmp File Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "be254a5c-63e7-11ec-89da-acde48001122", "description": "The following analytic detects the creation of the \"sudoers.tmp\" file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of \"sudoers.tmp\" files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system's security.", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file $file_name$ is created in $file_path$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux System Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "535cb214-8b47-11ec-a2c7-acde48001122", "description": "The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as \"arp,\" \"ifconfig,\" \"ip,\" \"netstat,\" \"firewall-cmd,\" \"ufw,\" \"iptables,\" \"ss,\" and \"route\" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2", "Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Network discovery process $process_name_list$ executed on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux System Reboot Via System Request Key", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "description": "The following analytic detects the execution of the SysReq hack to reboot a Linux system host. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe 'b' to /proc/sysrq-trigger. This activity is significant as it is an uncommon method to reboot a system and was observed in the Awfulshred malware wiper. If confirmed malicious, this technique could indicate the presence of suspicious processes and potential system compromise, leading to unauthorized reboots and disruption of services.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "description": "The following analytic detects the execution of a command to enable all SysRq functions on a Linux system, a technique associated with the AwfulShred malware. It leverages Endpoint Detection and Response (EDR) data to identify processes executing the command to pipe bitmask '1' to /proc/sys/kernel/sysrq. This activity is significant as it can indicate an attempt to manipulate kernel system requests, which is uncommon and potentially malicious. If confirmed, this could allow an attacker to reboot the system or perform other critical actions, leading to system instability or further compromise.", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.004", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Linux Visudo Utility Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "08c41040-624c-11ec-a71f-acde48001122", "description": "The following analytic detects the execution of the 'visudo' utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"analytic_story": ["Linux Persistence Techniques", "Linux Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A commandline $process$ executed on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.003", "T1548"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Living Off The Land Detection", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "description": "The following correlation identifies multiple risk events associated with the \"Living Off The Land\" analytic story, indicating potentially suspicious behavior. It leverages the Risk data model to aggregate and correlate events tagged under this story, focusing on systems with a high count of distinct sources. This activity is significant as it often involves the use of legitimate tools for malicious purposes, making detection challenging. If confirmed malicious, this behavior could allow attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "living_off_the_land_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Loading Of Dynwrapx Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "eac5e8ba-4857-11ec-9371-acde48001122", "description": "The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "dynwrapx.dll loaded by process $process_name$ on $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055", "T1055.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Local Account Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 3, "id": "5d0d4830-0133-11ec-bae3-acde48001122", "description": "The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Local Account Discovery With Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "4902d7aa-0134-11ec-9d65-acde48001122", "description": "The following analytic detects the execution of `wmic.exe` with command-line arguments used to query local user accounts, specifically the `useraccount` argument. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Local user discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "author": "Jose Hernandez, Splunk", "date": "2024-05-26", "version": 4, "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "description": "The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Log4Shell Exploitation detected against $risk_object$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Logon Script Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "description": "The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1037", "T1037.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "LOLBAS With Network Traffic", "author": "Steven Dick", "date": "2024-05-11", "version": 2, "id": "2820f032-19eb-497e-8642-25b04a880359", "description": "The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1105", "T1567", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MacOS - Re-opened Applications", "author": "Jamie Windley, Splunk", "date": "2024-05-14", "version": 2, "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "description": "The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MacOS LOLbin", "author": "Patrick Bareiss, Splunk", "date": "2024-05-17", "version": 3, "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "description": "The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as \"find\", \"crontab\", \"screencapture\", \"openssl\", \"curl\", \"wget\", \"killall\", and \"funzip\". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiplle LOLbin are executed on host $dest$ by user $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.004", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as user, cmdline as process, path as process_path, host as dest | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "MacOS plutil", "author": "Patrick Bareiss, Splunk", "date": "2024-05-22", "version": 4, "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "description": "The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "plutil are executed on $dest$ from $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1647"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Mailsniper Invoke functions", "author": "Teoderick Contreras, Splunk", "date": "2024-05-07", "version": 3, "id": "a36972c8-b894-11eb-9f78-acde48001122", "description": "The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Potential mailsniper.ps1 functions executed on dest $dest$ by user $user$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1114", "T1114.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Malicious InProcServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "127c8d08-25ff-11ec-9223-acde48001122", "description": "The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.010", "T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious Powershell Executed As A Service", "author": "Ryan Becwar", "date": "2024-05-20", "version": 3, "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "description": "The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"analytic_story": ["Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 | eval l_ImagePath=lower(ImagePath) | regex l_ImagePath=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_ImagePath=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Malicious PowerShell Process - Encoded Command", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 8, "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "description": "The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["CISA AA22-320A", "DarkCrystal RAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "Qakbot", "Sandworm Tools", "Volt Typhoon", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "System administrators may use this option, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 6, "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "description": "The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like \"-ex\" or \"bypass.\" This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "DHS Report TA18-074A", "DarkCrystal RAT", "HAFNIUM Group", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "PowerShell local execution policy bypass attempt on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "author": "David Dorsey, Splunk", "date": "2024-05-18", "version": 6, "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "description": "The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "13bbd574-83ac-11ec-99d4-acde48001122", "description": "The following analytic detects the use of Mimikatz command line parameters associated with pass-the-ticket attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns related to Kerberos ticket manipulation. This activity is significant because pass-the-ticket attacks allow adversaries to move laterally within an environment using stolen Kerberos tickets, bypassing normal access controls. If confirmed malicious, this could enable attackers to escalate privileges, access sensitive information, and maintain persistence within the network.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "CISA AA23-347A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `mmc.exe` is the parent process. This activity is significant because adversaries can abuse the DCOM protocol and MMC20 COM object to execute malicious code, using Windows native binaries documented by the LOLBAS project. If confirmed malicious, this behavior could indicate lateral movement, allowing attackers to execute code remotely, potentially leading to further compromise and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Modification Of Wallpaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "accb0712-c381-11eb-8e5b-acde48001122", "description": "The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the \"Control Panel\\\\Desktop\\\\Wallpaper\" and \"Control Panel\\\\Desktop\\\\WallpaperStyle\" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Brute Ratel C4", "LockBit Ransomware", "Ransomware", "Revil Ransomware", "Rhysida Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wallpaper modification on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1491"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =13 (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Image != \"*\\\\explorer.exe\") OR (TargetObject IN (\"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\",\"*\\\\Control Panel\\\\Desktop\\\\WallpaperStyle\") AND Details IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Modify ACL permission To Files Or Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "description": "The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like \"cacls.exe,\" \"icacls.exe,\" and \"xcacls.exe\" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious ACL permission modification on $dest$", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may use this command. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Monitor Registry Keys for Print Monitors", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 6, "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "description": "The following analytic detects modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "New print monitor added on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.010", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "985f322c-57a5-11ec-b9ac-acde48001122", "description": "The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MS Scripting Process Loading Ldap Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "description": "The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MS Scripting Process Loading WMI Module", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "2eba3d36-14a6-11ec-a682-acde48001122", "description": "The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.007"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MSBuild Suspicious Spawned By Script Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "213b3148-24ea-11ec-93a2-acde48001122", "description": "The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127.001", "T1127"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "description": "The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "MSHTML Module Load in Office Product", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "5f1c168e-118b-11ec-84ff-acde48001122", "description": "The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=7 process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") loaded_file_path IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "MSI Module Loaded by Non-System Binary", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccb98a66-5851-11ec-b91c-acde48001122", "description": "The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/AlexandrVIvanov/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $dest$, potentally related to DLL side-loading.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Msmpeng Application DLL Side Loading", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-16", "version": 4, "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "description": "The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Net Localgroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "54f5201e-155b-11ec-a6e2-acde48001122", "description": "The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Graceful Wipe Out Attack", "IcedID", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon", "Windows Discovery Techniques", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "NET Profiler UAC bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "description": "The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Arp", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "description": "The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"analytic_story": ["Active Directory Discovery", "Azorult", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Connection Discovery With Netstat", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "description": "The following analytic detects the execution of `netstat.exe` with command-line arguments to list network connections on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant as both Red Teams and adversaries use `netstat.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map network connections, identify critical systems, and plan further lateral movement or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "CISA AA23-347A", "PlugX", "Prestige Ransomware", "Qakbot", "Volt Typhoon", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Discovery Using Route Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "dd83407e-439f-11ec-ab8e-acde48001122", "description": "The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-277A", "Prestige Ransomware", "Qakbot", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Network Connection discovery on $dest$ by $user$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016", "T1016.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Network Share Discovery Via Dir Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "description": "The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$ShareName$, Access mask=$AccessMask$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "68a0056c-34cb-455f-b03d-df935ea62c4f", "description": "The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Network traffic to Active Directory Web Services Protocol was identified on $dest_ip$ by $src_ip$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `network_traffic_to_active_directory_web_services_protocol_filter`", "how_to_implement": "The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "network_traffic_to_active_directory_web_services_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Nishang PowershellTCPOneLine", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "description": "The following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server. It leverages Endpoint Detection and Response (EDR) data, focusing on PowerShell processes that include specific .NET classes like Net.Sockets.TCPClient and System.Text.ASCIIEncoding. This activity is significant as it indicates potential remote control or data exfiltration attempts by an attacker. If confirmed malicious, this could lead to unauthorized remote access, data theft, or further compromise of the affected system.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "NLTest Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "description": "The following analytic identifies the execution of `nltest.exe` with command-line arguments `/domain_trusts` or `/all_trusts` to query Domain Trust information. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to understand domain trust relationships, which can inform their lateral movement strategies. If confirmed malicious, this activity could enable attackers to map out trusted domains, facilitating further compromise and pivoting within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"analytic_story": ["Active Directory Discovery", "Domain Trust Discovery", "IcedID", "Qakbot", "Rhysida Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Domain trust discovery execution on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1482"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "81263de4-160a-11ec-944f-acde48001122", "description": "The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non chrome browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555", "T1555.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "e6fc13b0-1609-11ec-b533-acde48001122", "description": "The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.", "references": [], "tags": {"analytic_story": ["3CX Supply Chain Attack", "AgentTesla", "Azorult", "CISA AA23-347A", "DarkGate Malware", "FIN7", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Remcos", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a non firefox browser process $ProcessName$ accessing $ObjectName$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555", "T1555.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 NOT (ProcessName IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) ObjectName=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Notepad with no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "description": "The following analytic identifies instances where Notepad.exe is launched without any command line arguments, a behavior commonly associated with the SliverC2 framework. This detection leverages process creation events from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by Notepad.exe within a short time frame. This activity is significant as it may indicate an attempt to inject malicious code into Notepad.exe, a known tactic for evading detection. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and unauthorized access.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ntdsutil Export NTDS", "author": "Michael Haag, Patrick Bareiss, Splunk", "date": "2024-05-30", "version": 2, "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Ntdsutil to export the Active Directory database (NTDS.dit). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because exporting NTDS.dit can be a precursor to offline password cracking, posing a severe security risk. If confirmed malicious, an attacker could gain access to sensitive credentials, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Rhysida Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Active Directory NTDS export on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Drop Executable", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "date": "2024-05-14", "version": 5, "id": "73ce70c4-146d-11ec-9184-acde48001122", "description": "The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "FIN7", "PlugX", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Spawn Regsvr32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 5, "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a Regsvr32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as IcedID, to initiate infections. If confirmed malicious, this behavior could lead to code execution, allowing attackers to gain control over the affected system and potentially escalate privileges.", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning regsvr32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Application Spawn rundll32 process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "958751e4-9c5f-11eb-b103-acde48001122", "description": "The following analytic identifies instances where an Office application spawns a rundll32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. This activity is significant because it is a common technique used by malware, such as Trickbot, to initiate infections. If confirmed malicious, this behavior could lead to code execution, further system compromise, and potential data exfiltration.", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "IcedID", "NjRAT", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office application spawning rundll32.exe on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Document Creating Schedule Task", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 7, "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "description": "The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An Office document was identified creating a scheduled task on $dest$. Investigate further.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") loaded_file_path = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Office Document Executing Macro Code", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 6, "id": "b12c89bc-9d06-11eb-a592-acde48001122", "description": "The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", "https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "DarkCrystal RAT", "IcedID", "NjRAT", "PlugX", "Qakbot", "Remcos", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document executing a macro on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") loaded_file_path IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Office Document Spawned Child Process To Download", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 7, "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "description": "The following analytic identifies Office applications spawning child processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications like Word or Excel initiate network connections, excluding common browsers. This activity is significant as it often indicates the use of malicious documents to execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further malware deployment, posing a severe threat to the organization's security.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT", "PlugX", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Office document spawning suspicious child process on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Default browser not in the filter list.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawn CMD Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 6, "id": "b8b19420-e892-11eb-9244-acde48001122", "description": "The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "DarkCrystal RAT", "NjRAT", "PlugX", "Qakbot", "Remcos", "Trickbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\" OR Processes.parent_process_name=\"Graph.exe\" OR Processes.parent_process_name=\"winproj.exe\") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning BITSAdmin", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 6, "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` is commonly used for malicious file transfers, potentially indicating a malware infection. If confirmed malicious, this activity could allow attackers to download additional payloads, escalate privileges, or establish persistence, leading to further compromise of the affected system.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` is frequently used for downloading malicious payloads from remote URLs. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further system compromise. Immediate investigation and containment are crucial to prevent potential damage.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["AgentTesla", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning MSHTA", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "6078fa20-a6d2-11eb-b662-acde48001122", "description": "The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common technique used by malware families like TA551 and IcedID to execute malicious scripts or payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"analytic_story": ["Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "IcedID", "NjRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 6, "id": "c661f6be-a38c-11eb-be57-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, which can lead to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 6, "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "description": "The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Remcos", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\",\"Graph.exe\",\"winproj.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Spawning Wmic", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 7, "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "description": "The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it is commonly associated with the Ursnif malware family, indicating potential malicious activity. If confirmed malicious, this could allow an attacker to execute arbitrary commands, leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "FIN7", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\", \"Graph.exe\",\"winproj.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Product Writing cab or inf", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 5, "id": "f48cd1d4-125a-11ec-a447-acde48001122", "description": "The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Office Spawning Control", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "053e027c-10c7-11ec-8437-acde48001122", "description": "The following analytic identifies instances where `control.exe` is spawned by a Microsoft Office product. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it can indicate exploitation attempts related to CVE-2021-40444, where `control.exe` is used to execute malicious .cpl or .inf files. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "author": "Mauricio Velazco, Lou Stella, Splunk", "date": "2024-05-26", "version": 3, "id": "d2c14d28-5c47-11ec-9892-acde48001122", "description": "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Overwriting Accessibility Binaries", "author": "David Dorsey, Splunk", "date": "2024-05-25", "version": 5, "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "description": "The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.", "references": [], "tags": {"analytic_story": ["Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546", "T1546.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "395163b8-689b-444b-86c7-9fe9ad624734", "description": "The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Password Policy Discovery with Net", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "09336538-065a-11ec-8665-acde48001122", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1201"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Permission Modification using Takeown App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "description": "The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PetitPotam Network Share Access Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "95b8061a-0a67-11ec-85ec-acde48001122", "description": "The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1187"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` SubjectUserName=\"ANONYMOUS LOGON\" EventCode=5145 RelativeTargetName=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 3, "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "description": "The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 src!=\"::1\" TargetUserName=*$ CertThumbprint!=\"\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetUserName, src, action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ping Sleep Batch Command", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "ce058d6c-79f2-11ec-b476-acde48001122", "description": "The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis. If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Data Destruction", "Warzone RAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious $process$ commandline run in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497", "T1497.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Possible Browser Pass View Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "description": "The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches.", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555.003", "T1555"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positive is quite limited. Filter is needed", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 3, "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "description": "The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN (\"*c:\\windows\\ccm\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Potential password in username", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-11", "version": 2, "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "description": "The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_id": ["T1078.003", "T1552.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Potentially malicious code on commandline", "author": "Michael Hart, Splunk", "date": "2024-05-12", "version": 2, "id": "9c53c446-757e-11ec-871d-acde48001122", "description": "The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as \"streamreader,\" \"webclient,\" \"mutex,\" \"function,\" and \"computehash,\" which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Unusual command-line execution with command line length greater than 200 found on $dest$ with commandline value - [$process$]", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell 4104 Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "d6f2b006-0041-11ec-8885-acde48001122", "description": "The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware", "Data Destruction", "Flax Typhoon", "Hermetic Wiper", "Malicious PowerShell", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Powershell was identified on endpoint $host$ by user $user$ executing suspicious commands.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex=if(match(ScriptBlockText, \"(?i)iex|invoke-expression\"),2,0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by UserID, Computer, DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "author": "David Dorsey, Michael Haag Splunk", "date": "2024-05-12", "version": 9, "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "description": "The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"analytic_story": ["AgentTesla", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Log4Shell CVE-2021-44228", "Malicious PowerShell", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "description": "The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.015", "T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Creating Thread Mutex", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 4, "id": "637557ec-ca08-11eb-bd0a-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains Thread Mutex on host $dest$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1027.005", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Disable Security Monitoring", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 4, "id": "c148a894-dd93-11eb-bf2a-acde48001122", "description": "The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific `Set-MpPreference` parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell Domain Enumeration", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "description": "The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Enable PowerShell Remoting", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "description": "The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Enable SMB1Protocol Feature", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "afed80b2-d34b-11eb-a952-acde48001122", "description": "The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027", "T1027.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Execute COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "65711630-f9bf-11eb-8d72-acde48001122", "description": "The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains COM CLSID command on host $dest$", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.015", "T1546", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "a26d9db4-c883-11eb-9d75-acde48001122", "description": "The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains GetProcAddress API on host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1055", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "8acbc04c-c882-11eb-b060-acde48001122", "description": "The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell", "NjRAT", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious powershell script contains base64 command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1027", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Get LocalGroup Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b71adfcc-155b-11ec-9413-acde48001122", "description": "The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "description": "The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on endpoint $dest$ by user $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "651ee958-a433-471c-b264-39725b788b83", "description": "The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Invoke WmiExec Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "description": "The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Load Module in Meterpreter", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5905da5-d050-48db-9259-018d8f034fcf", "description": "The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as \"MSF.Powershell\" and \"MSF.Powershell.Meterpreter\". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "description": "The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["AgentTesla", "AsyncRAT", "Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Processing Stream Of Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Remote Services Add TrustedHost", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "bef21d24-297e-45e3-9b9a-c6ac45450474", "description": "The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a powershell script adding a remote trustedhost on $dest$ .", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021.006", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*WSMan:\\\\localhost\\\\Client\\\\TrustedHosts*\" ScriptBlockText IN (\"* -Value *\", \"* -Concatenate *\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "user and network administrator may used this function to add trusted host.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_services_add_trustedhost_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Remote Thread To Known Windows Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "description": "The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Powershell Remove Windows Defender Directory", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "adf47620-79fa-11ec-b248-acde48001122", "description": "The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing \"rmdir\" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Script Block With URL Chain", "author": "Steven Dick", "date": "2024-05-30", "version": 2, "id": "4a3f2a7d-6402-4e64-a76a-869588ec3b57", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_script_block_with_url_chain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell Start-BitsTransfer", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 3, "id": "39e2605a-90d8-11eb-899e-acde48001122", "description": "The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network.", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1197"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "PowerShell Start or Stop Service", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "description": "The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Using memory As Backing Store", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "IcedID", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains memorystream command on host $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PowerShell WebRequest Using Memory Stream", "author": "Steven Dick", "date": "2024-05-12", "version": 2, "id": "103affa6-924a-4b53-aff4-1d5075342aab", "description": "The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://attack.mitre.org/techniques/T1059/001/"], "tags": {"analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.001", "T1105", "T1027.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_webrequest_using_memory_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Powershell Windows Defender Exclusion Commands", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "description": "The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["AgentTesla", "CISA AA22-320A", "Data Destruction", "Remcos", "Warzone RAT", "WhisperGate", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "exclusion command $ScriptBlockText$ executed on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Add-MpPreference *\" OR ScriptBlockText = \"*Set-MpPreference *\") AND ScriptBlockText = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "description": "The following analytic detects the execution of \"bcdedit.exe\" with parameters to set the boot status policy to ignore all failures. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it can indicate an attempt by ransomware to prevent a compromised machine from booting into automatic repair mode, thereby hindering recovery efforts. If confirmed malicious, this action could allow attackers to maintain control over the infected system, complicating remediation and potentially leading to further damage.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"analytic_story": ["Chaos Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Print Processor Registry Autostart", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 3, "id": "1f5b68aa-2037-11ec-898e-acde48001122", "description": "The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Print Spooler Adding A Printer Driver", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "313681a2-da8e-11eb-adad-acde48001122", "description": "The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as \"kernelbase.dll\" and \"UNIDRV.DLL.\" This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Print Spooler Failed to Load a Plug-in", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adc9548-da7c-11eb-8f13-acde48001122", "description": "The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as \"meterpreter.dll,\" with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Process Creating LNK file in Suspicious Location", "author": "Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-15", "version": 7, "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "description": "The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["Amadey", "IcedID", "Qakbot", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\Users\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_name Processes.parent_process_guid Processes.process_name Processes.dest Processes.process Processes.path | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Deleting Its Process File Path", "author": "Teoderick Contreras", "date": "2024-05-27", "version": 3, "id": "f7eda4bc-871c-11eb-b110-acde48001122", "description": "The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "Data Destruction", "Remcos", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $Image$ tries to delete its process path in commandline $CommandLine$ as part of defense evasion in host $dest$ by user $user$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by dest user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Process Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-22", "version": 6, "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "description": "The following analytic detects the execution of a process by `WmiPrvSE.exe`, indicating potential use of WMI (Windows Management Instrumentation) for process creation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as WMI can be used for lateral movement, remote code execution, or persistence by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary commands or scripts, potentially leading to further compromise of the affected system or network.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe NOT (Processes.process IN (\"*\\\\dismhost.exe*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Kill Base On File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "description": "The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Process Writing DynamicWrapperX", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "b0a078e4-2601-11ec-9aec-acde48001122", "description": "The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1559.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Processes launching netsh", "author": "Michael Haag, Josef Kuepker, Splunk", "date": "2024-05-24", "version": 5, "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "description": "The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "Netsh Abuse", "Snake Keylogger", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Processes Tapping Keyboard Events", "author": "Jose Hernandez, Splunk", "date": "2024-05-13", "version": 2, "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "description": "The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.", "references": [], "tags": {"analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Randomly Generated Scheduled Task Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "description": "The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Randomly Generated Windows Service Name", "author": "Mauricio Velazco, Splunk", "date": "2024-05-30", "version": 2, "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "description": "The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ransomware Notes bulk creation", "author": "Teoderick Contreras", "date": "2024-05-25", "version": 2, "id": "eff7919a-8330-11eb-83f8-acde48001122", "description": "The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["BlackMatter Ransomware", "Chaos Ransomware", "Clop Ransomware", "DarkSide Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A high frequency file creation of $file_name$ in different file path in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Recon AVProduct Through Pwh or WMI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "28077620-c9f6-11eb-8785-acde48001122", "description": "The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like \"SELECT,\" \"WMIC,\" \"AntiVirusProduct,\" or \"AntiSpywareProduct.\" This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell", "Prestige Ransomware", "Qakbot", "Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains AV recon command on host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Recon Using WMI Class", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "018c1972-ca07-11eb-9473-acde48001122", "description": "The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Industroyer2", "LockBit Ransomware", "Malicious PowerShell", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains host recon commands detected on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1592", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Recursive Delete of Directory In Batch CMD", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 4, "id": "ba570b3a-d356-11eb-8358-acde48001122", "description": "The following analytic detects the execution of a batch command designed to recursively delete files or directories, a technique often used by ransomware like Reddot to delete files in the recycle bin and prevent recovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific flags for recursive and quiet deletions. This activity is significant as it indicates potential ransomware behavior aimed at data destruction. If confirmed malicious, it could lead to significant data loss and hinder recovery efforts, severely impacting business operations.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "author": "Rico Valdez, Splunk", "date": "2024-05-17", "version": 6, "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "description": "The following analytic detects the use of reg.exe to modify registry keys associated with Windows services and their configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because unauthorized changes to service registry keys can indicate an attempt to establish persistence or escalate privileges. If confirmed malicious, this could allow an attacker to control service behavior, potentially leading to unauthorized code execution or system compromise.", "references": [], "tags": {"analytic_story": ["Living Off The Land", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.011", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys for Creating SHIM Databases", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 7, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "description": "The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.", "references": [], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys Used For Persistence", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "date": "2024-05-25", "version": 10, "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "description": "The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.", "references": [], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "CISA AA23-347A", "Chaos Ransomware", "DHS Report TA18-074A", "DarkGate Malware", "Emotet Malware DHS Report TA18-201A", "IcedID", "NjRAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Qakbot", "Ransomware", "RedLine Stealer", "Remcos", "Snake Keylogger", "Sneaky Active Directory Persistence Tricks", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\" OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\" OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Registry Keys Used For Privilege Escalation", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 8, "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "description": "The following analytic detects modifications to registry keys under \"Image File Execution Options\" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"analytic_story": ["Cloud Federated Credential Abuse", "Data Destruction", "Hermetic Wiper", "Suspicious Windows Registry Activities", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.012", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "f421c250-24e7-11ec-bc43-acde48001122", "description": "The following analytic detects the loading of a DLL using the regsvr32 application with the silent parameter and DLLInstall execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent process details. This activity is significant as it is commonly used by RAT malware like Remcos and njRAT to load malicious DLLs on compromised machines. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, and further compromise the system.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"analytic_story": ["AsyncRAT", "Data Destruction", "Hermetic Wiper", "Living Off The Land", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 3, "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "description": "The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Living Off The Land", "Qakbot", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remcos client registry install entry", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "description": "The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "date": "2024-05-24", "version": 3, "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "description": "The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing \"remcos.\" This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "file $file_name$ created in $file_path$ of $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Process Running On System", "author": "David Dorsey, Splunk", "date": "2024-05-24", "version": 6, "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "description": "The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint by abusing the DCOM protocol, specifically targeting ShellExecute and ExecuteShellCommand. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant as it indicates potential lateral movement and remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, escalate privileges, and move laterally within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 3, "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` with arguments used to start a process on a remote endpoint via the WinRM protocol, specifically targeting the `Invoke-Command` cmdlet. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "description": "The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "description": "The following analytic detects the execution of `winrs.exe` with command-line arguments used to start a process on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and lateral spread within the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI", "author": "Rico Valdez, Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 8, "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "description": "The following analytic detects the execution of wmic.exe with parameters to spawn a process on a remote system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry mapped to the `Processes` node of the `Endpoint` data model. This activity is significant as WMI can be abused for lateral movement and remote code execution, often used by adversaries and Red Teams. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, facilitating further compromise and lateral spread within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Ransomware", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "description": "The following analytic detects the execution of `powershell.exe` using the `Invoke-WmiMethod` cmdlet to start a process on a remote endpoint via WMI. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process telemetry. This activity is significant as it indicates potential lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "description": "The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote System Discovery with Adsisearcher", "author": "Mauricio Velazco, Splunk", "date": "2024-05-09", "version": 3, "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration with adsisearcher on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Remote System Discovery with Dsquery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "description": "The following analytic detects the execution of `dsquery.exe` with the `computer` argument, which is used to discover remote systems within a domain. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Remote system discovery is significant as it indicates potential reconnaissance activities by adversaries or Red Teams to map out network resources and Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, lateral movement, and unauthorized access to critical systems within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote System Discovery with Net", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "description": "The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote System Discovery with Wmic", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "description": "The following analytic detects the execution of `wmic.exe` with specific command-line arguments used to discover remote systems within a domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out network resources and Active Directory structures. If confirmed malicious, this behavior could allow attackers to gain situational awareness, identify critical systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Remote system discovery enumeration on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote WMI Command Attempt", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-17", "version": 5, "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "description": "The following analytic detects the execution of `wmic.exe` with the `node` switch, indicating an attempt to spawn a local or remote process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, the attacker could gain remote control over the targeted system, execute arbitrary commands, and potentially escalate privileges or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Graceful Wipe Out Attack", "IcedID", "Living Off The Land", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Resize ShadowStorage volume", "author": "Teoderick Contreras", "date": "2024-05-13", "version": 2, "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "description": "The following analytic identifies the resizing of shadow storage volumes, a technique used by ransomware like CLOP to prevent the recreation of shadow volumes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"vssadmin.exe\" with parameters related to resizing shadow storage. This activity is significant as it indicates an attempt to hinder recovery efforts by manipulating shadow copies. If confirmed malicious, this could lead to successful ransomware deployment, making data recovery difficult and increasing the potential for data loss.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"analytic_story": ["BlackByte Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Revil Common Exec Parameter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "85facebe-c382-11eb-9c3e-acde48001122", "description": "The following analytic detects the execution of command-line parameters commonly associated with REVIL ransomware, such as \"-nolan\", \"-nolocal\", \"-fast\", and \"-full\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs mapped to the `Processes` node of the `Endpoint` data model. This activity is significant because these parameters are indicative of ransomware attempting to encrypt files on a compromised machine. If confirmed malicious, this could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Revil Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 4, "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "description": "The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rubeus Command Line Parameters", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "cca37478-8377-11ec-b59a-acde48001122", "description": "The following analytic detects the use of Rubeus command line parameters, a toolset for Kerberos attacks within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as Rubeus is commonly used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "message": "Rubeus command line parameters were used on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "author": "Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 2, "id": "5ed8c50a-8869-11ec-876f-acde48001122", "description": "The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550", "T1550.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Runas Execution in CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "4807e716-43a4-11ec-a0e7-acde48001122", "description": "The following analytic detects the execution of the runas.exe process with administrator user options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to gain elevated privileges, a common tactic in privilege escalation and lateral movement. If confirmed malicious, this could allow an attacker to execute commands with higher privileges, potentially leading to unauthorized access, data exfiltration, or further compromise of the target host.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "elevated process using runas on $dest$ by $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134", "T1134.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Control RunDLL Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "description": "The following analytic identifies instances of rundll32.exe executing with `Control_RunDLL` in the command line, which is indicative of loading a .cpl or other file types. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as rundll32.exe can be exploited to execute malicious Control Panel Item files, potentially linked to CVE-2021-40444. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "description": "The following analytic detects the execution of rundll32.exe with the `Control_RunDLL` command, loading files from world-writable directories such as windows\\temp, programdata, or appdata. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process command-line data and specific directory paths. This activity is significant as it may indicate an attempt to exploit CVE-2021-40444 or similar vulnerabilities, allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"analytic_story": ["Living Off The Land", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Create Remote Thread To A Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "description": "The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "f8a22586-ee2d-11eb-a193-acde48001122", "description": "The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 DNSQuery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ made a DNS query for $query$ from host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 LockWorkStation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 3, "id": "fa90f372-f91d-11eb-816c-acde48001122", "description": "The following analytic detects the execution of the rundll32.exe command with the user32.dll,LockWorkStation parameter, which is used to lock the workstation via command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is an uncommon method to lock a screen and has been observed in CONTI ransomware tooling for defense evasion. If confirmed malicious, this technique could indicate an attempt to evade detection and hinder incident response efforts.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "6338266a-ee2a-11eb-bf68-acde48001122", "description": "The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.", "references": ["https://any.run/malware-trends/icedid"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "rundll32 process drops a file $file_name$ on host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Rundll32 Shimcache Flush", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "a913718a-25b6-11ec-96d3-acde48001122", "description": "The following analytic detects the execution of a suspicious rundll32 command line used to clear the shim cache. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because clearing the shim cache is an anti-forensic technique aimed at evading detection and removing forensic artifacts. If confirmed malicious, this action could hinder incident response efforts, allowing an attacker to cover their tracks and maintain persistence on the compromised machine.", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"analytic_story": ["Living Off The Land", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "author": "Steven Dick, Michael Haag, Splunk", "date": "2024-05-21", "version": 5, "id": "35307032-a12d-11eb-835f-acde48001122", "description": "The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "RunDLL Loading DLL By Ordinal", "author": "Michael Haag, David Dorsey, Splunk", "date": "2024-05-20", "version": 7, "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "description": "The following analytic detects rundll32.exe loading a DLL export function by ordinal value. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant because adversaries may use rundll32.exe to execute malicious code while evading security tools that do not monitor this process. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ryuk Test Files Detected", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 2, "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "description": "The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A creation of ryuk test file $file_path$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Ryuk Wake on LAN Command", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "538d0152-7aaa-11eb-beaa-acde48001122", "description": "The following analytic detects the use of Wake-on-LAN commands associated with Ryuk ransomware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line activities. This behavior is significant as Ryuk ransomware uses Wake-on-LAN to power on devices in a compromised network, increasing its encryption success rate. If confirmed malicious, this activity could lead to widespread ransomware encryption across multiple endpoints, causing significant operational disruption and data loss. Immediate isolation and thorough investigation of the affected endpoints are crucial to mitigate the impact.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059", "T1059.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no known false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SAM Database File Access Attempt", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "57551656-ebdb-11eb-afdf-acde48001122", "description": "The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\\system32\\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "ObjectName", "type": "File", "role": ["Attacker"]}], "message": "The following process $process_name$ accessed the object $ObjectName$ attempting to gain access to credentials on $dest$ by user $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.002", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_security` (EventCode=4663) ProcessName!=*\\\\dllhost.exe ObjectName IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(AccessList) count by ProcessName ObjectName dest src_user | rename ProcessName as process_name | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Samsam Test File Write", "author": "Rico Valdez, Splunk", "date": "2024-05-14", "version": 2, "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "description": "The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.", "references": [], "tags": {"analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sc exe Manipulating Windows Services", "author": "Rico Valdez, Splunk", "date": "2024-05-20", "version": 5, "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "description": "The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"analytic_story": ["Azorult", "DHS Report TA18-074A", "Disabling Security Tools", "NOBELIUM Group", "Orangeworm Attack Group", "Windows Drivers", "Windows Persistence Techniques", "Windows Service Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "991eb510-0fc6-11ec-82d3-acde48001122", "description": "The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $Image$ create a file $TargetFilename$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Schedule Task with HTTP Command Arguments", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "523c2684-a101-11eb-916b-acde48001122", "description": "The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"analytic_story": ["Living Off The Land", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "description": "The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "4be54858-432f-11ec-8209-3e22fbd008af", "description": "The following analytic detects the creation of scheduled tasks on remote Windows endpoints using the at.exe command. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events involving at.exe with remote command-line arguments. Identifying this activity is significant for a SOC as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this activity could lead to unauthorized access, persistence, or execution of malicious code, potentially resulting in data theft or further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "author": "Bhavin Patel, Splunk", "date": "2024-05-17", "version": 7, "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "description": "The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "CISA AA22-257A", "CISA AA23-347A", "DHS Report TA18-074A", "DarkCrystal RAT", "Living Off The Land", "NOBELIUM Group", "NjRAT", "Phemedrone Stealer", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Rhysida Ransomware", "Sandworm Tools", "Scheduled Tasks", "Trickbot", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "description": "The following analytic detects the use of 'schtasks.exe' to start a Scheduled Task on a remote endpoint. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process details such as process name, parent process, and command-line executions. This activity is significant as adversaries often abuse Task Scheduler for lateral movement and remote code execution. If confirmed malicious, this behavior could allow attackers to execute arbitrary code remotely, potentially leading to further compromise of the network.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks Run Task On Demand", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "bb37061e-af1f-11eb-a159-acde48001122", "description": "The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"analytic_story": ["CISA AA22-257A", "Data Destruction", "Industroyer2", "Qakbot", "Scheduled Tasks", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks scheduling job on remote system", "author": "David Dorsey, Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 7, "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "description": "The following analytic detects the use of 'schtasks.exe' to create a scheduled task on a remote system, indicating potential lateral movement or remote code execution. It leverages process data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments and flags. This activity is significant as it may signify an adversary's attempt to persist or execute code remotely. If confirmed malicious, this could allow attackers to maintain access, execute arbitrary commands, or further infiltrate the network, posing a severe security risk.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "NOBELIUM Group", "Phemedrone Stealer", "Prestige Ransomware", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Schtasks used for forcing a reboot", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 5, "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "description": "The following analytic detects the use of 'schtasks.exe' to schedule forced system reboots using the 'shutdown' and '/create' flags. It leverages endpoint process data to identify instances where these specific command-line arguments are used. This activity is significant because it may indicate an adversary attempting to disrupt operations or force a reboot to execute further malicious actions. If confirmed malicious, this could lead to system downtime, potential data loss, and provide an attacker with an opportunity to execute additional payloads or evade detection.", "references": [], "tags": {"analytic_story": ["Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Screensaver Event Trigger Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "description": "The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Registry path $registry_path$ was modified, added, or deleted in $dest$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546", "T1546.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Script Execution via WMI", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "description": "The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A wmic.exe process $process_name$ that execute script in host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sdclt UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 4, "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "description": "The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited to no false positives are expected.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Sdelete Application Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "31702fc0-2682-11ec-85c3-acde48001122", "description": "The following analytic detects the execution of the sdelete.exe application, a Sysinternals tool often used by adversaries to securely delete files and remove forensic evidence from a targeted host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as sdelete.exe is not commonly used in regular operations and its presence may indicate an attempt to cover malicious activities. If confirmed malicious, this could lead to the loss of critical forensic data, hindering incident response and investigation efforts.", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "sdelete process $process_name$ executed in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user may execute and use this application", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SearchProtocolHost with no Command Line with Network", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 4, "id": "b690df8c-a145-11eb-a38b-acde48001122", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments but with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because searchprotocolhost.exe typically runs with specific command line arguments, and deviations from this norm can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to establish network connections for command and control, potentially leading to data exfiltration or further system compromise.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "5672819c-be09-11eb-bbfb-acde48001122", "description": "The following analytic detects the potential use of the secretsdump.py tool to dump NTLM hashes from a copy of ntds.dit and the SAM, SYSTEM, and SECURITY registry hives. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and process names associated with secretsdump.py. This activity is significant because it indicates an attempt to extract sensitive credential information offline, which is a common post-exploitation technique. If confirmed malicious, this could allow an attacker to obtain NTLM hashes, facilitating further lateral movement and potential privilege escalation within the network.", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.003", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "13243068-2d38-11ec-8908-acde48001122", "description": "The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of attempting to identify service principle detected on $dest$ names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "description": "The following analytic detects the use of `setspn.exe` to query the domain for Service Principal Names (SPNs). This detection leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line arguments associated with `setspn.exe`. Monitoring this activity is crucial as it often precedes Kerberoasting or Silver Ticket attacks, which can lead to credential theft. If confirmed malicious, an attacker could use the gathered SPNs to escalate privileges or persist within the environment, posing a significant security risk.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services Escalate Exe", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 3, "id": "c448488c-b7ec-11eb-8253-acde48001122", "description": "The following analytic identifies the execution of a randomly named binary via `services.exe`, indicative of privilege escalation using Cobalt Strike's `svc-exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process lineage and command-line executions. This activity is significant as it often follows initial access, allowing adversaries to escalate privileges and establish persistence. If confirmed malicious, this behavior could enable attackers to execute arbitrary code, maintain long-term access, and potentially move laterally within the network, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA23-347A", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Services LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "description": "The following analytic identifies `services.exe` spawning a LOLBAS (Living Off the Land Binaries and Scripts) execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `services.exe` is the parent process. This activity is significant because adversaries often abuse the Service Control Manager to execute malicious code via native Windows binaries, facilitating lateral movement. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Services.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "author": "Steven Dick, Patrick Bareiss, Splunk", "date": "2024-05-12", "version": 9, "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "description": "The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.", "references": [], "tags": {"analytic_story": ["Credential Dumping", "DarkGate Malware", "Data Destruction", "HAFNIUM Group", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database File Creation", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 4, "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "description": "The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\\AppPatch\\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Shim Database Installation With Suspicious Parameters", "author": "David Dorsey, Splunk", "date": "2024-05-09", "version": 5, "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "description": "The following analytic detects the execution of sdbinst.exe with parameters indicative of silently creating a shim database. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because shim databases can be used to intercept and manipulate API calls, potentially allowing attackers to bypass security controls or achieve persistence. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.", "references": [], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.011", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Short Lived Scheduled Task", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "6fa31414-546e-11ec-adfa-acde48001122", "description": "The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "CISA AA23-347A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created and deleted in 30 seconds on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Short Lived Windows Accounts", "author": "David Dorsey, Splunk", "date": "2024-05-14", "version": 4, "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "description": "The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame. It leverages the \"Change\" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user account created or delete shortly in host $dest$", "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SilentCleanup UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 4, "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "description": "The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path \"*\\\\Environment\\\\windir\" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence.", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Single Letter Process On Endpoint", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "description": "The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious process $process_name$ with single letter in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI RunAs Elevated", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "8d124810-b3e4-11eb-96c7-acde48001122", "description": "The following analytic detects the execution of the Microsoft Software Licensing User Interface Tool (`slui.exe`) with elevated privileges using the `-verb runas` function. This activity is identified through logs from Endpoint Detection and Response (EDR) agents, focusing on specific registry keys and command-line parameters. This behavior is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to gain elevated access and execute malicious actions with higher privileges. If confirmed malicious, this could lead to unauthorized system changes, data exfiltration, or further compromise of the affected endpoint.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SLUI Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "description": "The following analytic detects the Microsoft Software Licensing User Interface Tool (`slui.exe`) spawning a child process. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `slui.exe` is the parent process. This activity is significant because `slui.exe` should not typically spawn child processes, and doing so may indicate a UAC bypass attempt, leading to elevated privileges. If confirmed malicious, an attacker could leverage this to execute code with elevated privileges, potentially compromising the system's security and gaining unauthorized access.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spike in File Writes", "author": "David Dorsey, Splunk", "date": "2024-05-16", "version": 4, "id": "fdb0f805-74e4-4539-8c00-618927333aae", "description": "The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.", "references": [], "tags": {"analytic_story": ["Ransomware", "Rhysida Ransomware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter`", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Spawning Rundll32", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "15d905f6-da6b-11eb-ab82-acde48001122", "description": "The following analytic detects the spawning of `rundll32.exe` without command-line arguments by `spoolsv.exe`, which is unusual and potentially indicative of exploitation attempts like CVE-2021-34527 (PrintNightmare). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where `spoolsv.exe` is the parent process. This activity is significant as `spoolsv.exe` typically does not spawn other processes, and such behavior could indicate an active exploitation attempt. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised endpoint.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Suspicious Loaded Modules", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "a5e451f8-da81-11eb-b245-acde48001122", "description": "The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImageLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Spoolsv Suspicious Process Access", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "799b606e-da81-11eb-93f8-acde48001122", "description": "The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Spoolsv Writing a DLL", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-27", "version": 3, "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages the Endpoint datamodel, specifically monitoring process and filesystem events to identify `.dll` file creation within the `\\spool\\drivers\\x64\\` path. This activity is significant as it may signify an attacker attempting to execute malicious code via the Print Spooler service. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. Immediate endpoint isolation and further investigation are recommended.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.process_guid Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process_guid process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name process_guid | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "author": "Mauricio Velazco, Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "347fd388-da87-11eb-836d-acde48001122", "description": "The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the `\\spool\\drivers\\x64\\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.012", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Sqlite Module In Temp Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0f216a38-f45f-11eb-b09c-acde48001122", "description": "The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts.", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ create a file $file_name$ in host $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "description": "The following analytic identifies potential threats related to the theft or forgery of authentication certificates. It detects when five or more analytics from the Windows Certificate Services story trigger within a specified timeframe. This detection leverages aggregated risk scores and event counts from the Risk data model. This activity is significant as it may indicate an ongoing attack aimed at compromising authentication mechanisms. If confirmed malicious, attackers could gain unauthorized access to sensitive systems and data, potentially leading to severe security breaches.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Sunburst Correlation DLL and Network Event", "author": "Patrick Bareiss, Splunk", "date": "2024-05-11", "version": 2, "id": "701a8740-e8db-40df-9190-5516d3819787", "description": "The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Computer Account Name Change", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "description": "The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "OldTargetUserName", "type": "User", "role": ["Victim"]}], "message": "A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\" | table _time, Computer, Caller_User_Name, OldTargetUserName, NewTargetUserName | rename Computer as dest | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Copy on System32", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "ce633e56-25b2-11ec-9e76-acde48001122", "description": "The following analytic detects suspicious file copy operations from the System32 or SysWow64 directories, often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by command-line tools like cmd.exe or PowerShell. This behavior is significant as it may indicate an attempt to execute malicious code using legitimate system tools (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise or further lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AsyncRAT", "IcedID", "Qakbot", "Sandworm Tools", "Unusual Processes", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Execution of copy exe to copy file from $process$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036.003", "T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "every user may do this event but very un-ussual.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Curl Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "description": "The following analytic detects the use of the curl command contacting suspicious remote domains, such as s3.amazonaws.com, which is indicative of Command and Control (C2) activity or downloading further implants. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate the presence of MacOS adware or other malicious software attempting to establish persistence or exfiltrate data. If confirmed malicious, this could allow attackers to maintain control over the compromised system and deploy additional payloads.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Linux Living Off The Land", "Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 5, "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "description": "The following analytic detects instances of DLLHost.exe executing without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because DLLHost.exe typically requires arguments to function correctly, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized actions like credential dumping or file manipulation, posing a severe threat to the environment.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Driver Loaded Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "description": "The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Snake Keylogger", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Suspicious driver $file_name$ on $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed| rename ImageLoaded as file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Event Log Service Behavior", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 3, "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "description": "The following analytic detects the shutdown of the Windows Event Log service using Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Windows Event Log Service shutdown on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "description": "The following analytic detects the execution of gpupdate.exe without any command line arguments. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute unauthorized commands or scripts, potentially leading to further system compromise or lateral movement within the network.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 3, "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "description": "The following analytic detects a suspicious `rundll32.exe` command line used to execute a DLL file, a technique associated with IcedID malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing the pattern `*/i:*`. This activity is significant as it indicates potential malware attempting to load an encrypted DLL payload, often named `license.dat`. If confirmed malicious, this could allow attackers to execute arbitrary code, leading to further system compromise and potential data exfiltration.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Image Creation In Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 3, "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "description": "The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Kerberos Service Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "description": "The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,\"@\"),0)),1,0) | where isSuspicious = 1 | rename Computer as dest| rename TargetUserName as user | table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Linux Discovery Commands", "author": "Bhavin Patel, Splunk", "date": "2024-05-11", "version": 2, "id": "0edd5112-56c9-11ec-b990-acde48001122", "description": "The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious Linux Discovery Commands detected on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler rename", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 6, "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "description": "The following analytic detects the renaming of microsoft.workflow.compiler.exe, a rarely used executable typically located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names. This activity is significant because renaming this executable can indicate an attempt to evade security controls. If confirmed malicious, an attacker could use this renamed executable to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1127", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious microsoft workflow compiler usage", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 3, "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "description": "The following analytic identifies the usage of microsoft.workflow.compiler.exe, a rarely utilized executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution telemetry. The significance of this activity lies in its uncommon usage, which may indicate malicious intent such as code execution or persistence mechanisms. If confirmed malicious, an attacker could leverage this process to execute arbitrary code, potentially leading to unauthorized access or further compromise of the system.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious msbuild path", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 4, "id": "f5198224-551c-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Rename", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 5, "id": "4006adac-5937-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Living Off The Land", "Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious MSBuild Spawn", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 3, "id": "a115fba6-5514-11eb-ae93-0242ac130002", "description": "The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"analytic_story": ["Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1127", "T1127.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta child process", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "60023bb6-5500-11eb-ae93-0242ac130002", "description": "The following analytic identifies child processes spawned from \"mshta.exe\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like \"powershell.exe\" and \"cmd.exe\". This activity is significant because \"mshta.exe\" is often exploited by attackers to execute malicious scripts or commands. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Monitoring this activity helps in early detection of potential threats leveraging \"mshta.exe\" for malicious purposes.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious mshta spawn", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "description": "The following analytic detects the spawning of mshta.exe by wmiprvse.exe or svchost.exe. This behavior is identified using Endpoint Detection and Response (EDR) data, focusing on process creation events where the parent process is either wmiprvse.exe or svchost.exe. This activity is significant as it may indicate the use of a DCOM object to execute malicious scripts via mshta.exe, a common tactic in sophisticated attacks. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "description": "The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.001", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "description": "The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.001", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "description": "The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon Event ID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Phemedrone Stealer", "Remcos", "Snake Keylogger", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*api.telegram*\",\"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\",\"cscript.exe\") OR Image IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Process Executed From Container File", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "d8120352-3b62-411c-8cb6-7b47584dd5e8", "description": "The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://attack.mitre.org/techniques/T1204/002/"], "tags": {"analytic_story": ["Amadey", "Remcos", "Snake Keylogger", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1204.002", "T1036.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Various business process or userland applications and behavior.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_executed_from_container_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process File Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "9be25988-ad82-11eb-a14f-acde48001122", "description": "The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "AsyncRAT", "Azorult", "BlackByte Ransomware", "Brute Ratel C4", "CISA AA23-347A", "Chaos Ransomware", "DarkCrystal RAT", "DarkGate Malware", "Data Destruction", "Double Zero Destructor", "Graceful Wipe Out Attack", "Hermetic Wiper", "IcedID", "Industroyer2", "LockBit Ransomware", "Phemedrone Stealer", "PlugX", "Prestige Ransomware", "Qakbot", "RedLine Stealer", "Remcos", "Rhysida Ransomware", "Swift Slicer", "Trickbot", "Volt Typhoon", "Warzone RAT", "WhisperGate", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Process With Discord DNS Query", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "4d4332ae-792c-11ec-89c1-acde48001122", "description": "The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing \"discord\" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious Reg exe Process", "author": "David Dorsey, Splunk", "date": "2024-05-19", "version": 5, "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"analytic_story": ["DHS Report TA18-074A", "Disabling Security Tools", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 4, "id": "62732736-6250-11eb-ae93-0242ac130002", "description": "The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Qakbot", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.010"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 dllregisterserver", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "description": "The following analytic detects the execution of rundll32.exe with the DllRegisterServer command to load a DLL. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it may indicate an attempt to register a malicious DLL, which can be a method for code execution or persistence. If confirmed malicious, an attacker could gain unauthorized code execution, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"analytic_story": ["IcedID", "Living Off The Land", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 4, "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "description": "The following analytic detects the execution of rundll32.exe without any command line arguments. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution logs. It is significant because rundll32.exe typically requires command line arguments to function properly, and its absence is often associated with malicious activities, such as those performed by Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to execute arbitrary code, potentially leading to credential dumping, unauthorized file writes, or other malicious actions.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 PluginInit", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "92d51712-ee29-11eb-b1ae-acde48001122", "description": "The following analytic identifies the execution of the rundll32.exe process with the \"plugininit\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because the \"plugininit\" parameter is commonly associated with IcedID malware, which uses it to execute an initial DLL stager to download additional payloads. If confirmed malicious, this behavior could lead to further malware infections, data exfiltration, or complete system compromise.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "third party application may used this dll export name to execute function.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Rundll32 StartW", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 4, "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "description": "The following analytic identifies the execution of rundll32.exe with the DLL function names \"Start\" and \"StartW,\" commonly associated with Cobalt Strike payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it often indicates the presence of malicious payloads, such as Cobalt Strike, which can lead to unauthorized code execution. If confirmed malicious, this activity could allow attackers to inject shellcode, escalate privileges, and maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "Suspicious Rundll32 Activity", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Scheduled Task from Public Directory", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "description": "The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\\public, \\programdata\\, or \\windows\\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Living Off The Land", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 4, "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "description": "The following analytic detects instances of searchprotocolhost.exe running without command line arguments. This behavior is unusual and often associated with malicious activities, such as those performed by Cobalt Strike. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution data. This activity is significant because searchprotocolhost.exe typically runs with specific arguments, and its absence may indicate an attempt to evade detection. If confirmed malicious, this could lead to unauthorized code execution, potential credential dumping, or other malicious actions within the environment.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "description": "The following analytic identifies the use of SQLite3 querying the MacOS preferences to determine the original URL from which a package was downloaded. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving LSQuarantine. This activity is significant as it is commonly associated with MacOS adware and other malicious software. If confirmed malicious, this behavior could indicate an attempt to track or manipulate downloaded packages, potentially leading to further system compromise or persistent adware infections.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1074"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious Ticket Granting Ticket Request", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "d77d349e-6269-11ec-9cfe-acde48001122", "description": "The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation", "sAMAccountName Spoofing and Domain Controller Impersonation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious TGT was requested was requested by $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1078", "T1078.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` (EventCode=4781 OldTargetUserName=\"*$\" NewTargetUserName!=\"*$\") OR (EventCode=4768 TargetUserName!=\"*$\") | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived | rename Computer as dest | `suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Suspicious WAV file in Appdata Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 3, "id": "5be109e6-1ac5-11ec-b421-acde48001122", "description": "The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality.", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ creating image file $file_path$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious wevtutil Usage", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-19", "version": 5, "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "description": "The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA23-347A", "Clop Ransomware", "Ransomware", "Rhysida Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070.001", "T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Suspicious writes to windows Recycle Bin", "author": "Rico Valdez, Splunk", "date": "2024-05-18", "version": 3, "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "description": "The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.", "references": [], "tags": {"analytic_story": ["Collection and Staging", "PlugX"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Suspicious writes to windows Recycle Bin process $process_name$ on $dest$", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_name Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | join process_id [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | table user process_name process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 4, "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "description": "The following analytic detects instances of 'svchost.exe' spawning Living Off The Land Binaries and Scripts (LOLBAS) processes. It leverages Endpoint Detection and Response (EDR) data to monitor child processes of 'svchost.exe' that match known LOLBAS executables. This activity is significant as adversaries often use LOLBAS techniques to execute malicious code stealthily, potentially indicating lateral movement or code execution attempts. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Info Gathering Using Dxdiag Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "f92d74f2-4921-11ec-b685-acde48001122", "description": "The following analytic identifies the execution of the dxdiag.exe process with specific command-line arguments, which is used to gather system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line details. This activity is significant because dxdiag.exe is rarely used in corporate environments and its execution may indicate reconnaissance efforts by malicious actors. If confirmed malicious, this activity could allow attackers to collect detailed system information, aiding in further exploitation or lateral movement within the network.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "dxdiag.exe process with commandline $process$ on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Information Discovery Detection", "author": "Patrick Bareiss, Splunk", "date": "2024-05-14", "version": 4, "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "description": "The following analytic identifies system information discovery techniques, such as the execution of commands like `wmic qfe`, `systeminfo`, and `hostname`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often use these commands to gather system configuration details, which can aid in further exploitation. If confirmed malicious, this behavior could allow attackers to tailor their attacks based on the discovered system information, potentially leading to privilege escalation, persistence, or data exfiltration.", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "message": "Potential system information discovery behavior on $dest$ by $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators debugging servers", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System Processes Run From Unexpected Locations", "author": "David Dorsey, Michael Haag, Splunk", "date": "2024-05-25", "version": 7, "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "description": "The following analytic identifies system processes running from unexpected locations outside `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"analytic_story": ["DarkGate Malware", "Masquerading - Rename System Utilities", "Qakbot", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file_macro` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_windows_system_file_macro", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Query", "author": "Mauricio Velazco, Splunk", "date": "2024-05-23", "version": 2, "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "description": "The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering logged-in users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify active users, aiding in further lateral movement and privilege escalation within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "System User Discovery With Whoami", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 2, "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "description": "The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Qakbot", "Rhysida Ransomware", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Time Provider Persistence Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 5, "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "description": "The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.003", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Trickbot Named Pipe", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "1804b0a4-a682-11eb-8f68-acde48001122", "description": "The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Possible Trickbot namedpipe created on $dest$ by $process_name$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by dest user_id EventCode PipeName signature Image process_id | rename Image as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "description": "The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$ with EventCode $EventCode$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548", "T1218.014"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName dest EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "UAC Bypass With Colorui COM Object", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "description": "The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest user_id EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Uninstall App Using MsiExec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "description": "The following analytic detects the uninstallation of applications using msiexec with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it is an uncommon practice in enterprise environments and has been associated with malicious behavior, such as disabling antivirus software. If confirmed malicious, this could allow an attacker to remove security software, potentially leading to further compromise and persistence within the network.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unknown Process Using The Kerberos Protocol", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 3, "id": "c91a0852-9fbb-11ec-af44-acde48001122", "description": "The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Unknown process $process_name$ using the kerberos protocol detected on host $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id dest [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.src All_Traffic.process_id All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename src as dest ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unload Sysmon Filter Driver", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 5, "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "description": "The following analytic detects the use of `fltMC.exe` to unload the Sysmon driver, which stops Sysmon from collecting data. It leverages Endpoint Detection and Response (EDR) logs, focusing on process names and command-line executions. This activity is significant because disabling Sysmon can blind security monitoring, allowing malicious actions to go undetected. If confirmed malicious, this could enable attackers to execute further attacks without being logged, leading to potential data breaches, privilege escalation, or persistent access within the environment.", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Sysmon filter driver unloading on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | table firstTime lastTime dest user count process_name process_id parent_process_name process | `unload_sysmon_filter_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown at the moment", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unloading AMSI via Reflection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "a21e3484-c94d-11eb-b55b-acde48001122", "description": "The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "description": "The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, \"A Kerberos service ticket was requested.\" It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "message": "", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "eb3e6702-8936-11ec-98fe-acde48001122", "description": "The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Endpoint", "role": ["Victim"]}], "message": "tbd", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName!=\"*$\" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services by _time, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "acb5dc74-5324-11ec-a36d-acde48001122", "description": "The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "target_hosts", "type": "Endpoint", "role": ["Victim"]}], "message": "Unusual number of remote authentication events from $Source_Network_Address$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Unusually Long Command Line", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 6, "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "description": "The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Unusually long command line $process_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications start with long command lines.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Command Line - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "description": "The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system.", "references": [], "tags": {"analytic_story": ["Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Suspicious Command-Line Executions", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "description": "The following analytic detects the execution of `powershell.exe` with command-line arguments that use PowerShell environment variables to identify the current logged user. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to gather critical user information, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System user discovery on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "description": "The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "System user discovery on endpoint $dest$ by user $user$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "USN Journal Deletion", "author": "David Dorsey, Splunk", "date": "2024-05-12", "version": 3, "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "description": "The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.", "references": [], "tags": {"analytic_story": ["Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible USN journal deletion on $dest$", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "None identified", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Vbscript Execution Using Wscript App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "35159940-228f-11ec-8a49-acde48001122", "description": "The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because wscript.exe is typically not used to execute VBScript, which is usually associated with cscript.exe. This deviation can indicate an attempt to evade traditional process monitoring and antivirus defenses. If confirmed malicious, this technique could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Verclsid CLSID Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "description": "The following analytic detects the potential abuse of the verclsid.exe utility to execute malicious files via generated CLSIDs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with verclsid.exe. This activity is significant because verclsid.exe is a legitimate Windows application used to verify CLSID COM objects, and its misuse can indicate an attempt to bypass security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise or further malicious activities.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.012", "T1218"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "windows can used this application for its normal COM object validation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "W3WP Spawning Shell", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "description": "The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is W3WP.exe. This activity is significant as it may indicate webshell activity, often associated with exploitation attempts like those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-257A", "CISA AA22-264A", "Data Destruction", "Flax Typhoon", "HAFNIUM Group", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Possible Web Shell execution on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WBAdmin Delete System Backups", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "description": "The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"analytic_story": ["Chaos Ransomware", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System backups deletion on $dest$", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1490"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may modify the boot configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wbemprox COM Object Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "9d911ce0-c3be-11eb-b177-acde48001122", "description": "The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"analytic_story": ["LockBit Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Suspicious COM Object Execution on $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-27", "version": 3, "id": "ed313326-a0f9-11eb-a89c-acde48001122", "description": "The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe process connecting IP location web services on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1590", "T1590.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Create Executable File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "ab3bcce0-a105-11eb-973c-acde48001122", "description": "The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe writing executable files on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e8fc95bc-a107-11eb-a978-acde48001122", "description": "The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"analytic_story": ["Qakbot", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wermgr.exe spawning suspicious processes on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wget Download and Bash Execution", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "35682718-5a85-11ec-b8f7-acde48001122", "description": "The following analytic detects the use of wget on Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly associated with malicious actions like coinminers and exploits such as CVE-2021-44228 in Log4j. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise and unauthorized access to sensitive data.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Abused Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "01f0aef4-8591-4daa-a53d-0ed49823b681", "description": "The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "a network connection on known abused web services from $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1102"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\",\"\"*textbin*\"\", \"*ngrok.io*\", \"*discord*\", \"*duckdns.org*\", \"*pasteio.com*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_abused_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "6ece9ed0-5f92-4315-889d-48560472b188", "description": "The following analytic detects a process enabling the \"SeDebugPrivilege\" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Brute Ratel C4", "CISA AA23-347A", "DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.002", "T1134"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "description": "The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.001", "T1134"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "description": "The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1134.001", "T1134"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for None Disable User Account", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "eddbf5ba-b89e-47ca-995e-2d259804e55e", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://powersploit.readthedocs.io/en/stable/Recon/README/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview", "https://atomicredteam.io/discovery/T1087.001/"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*NOT_ACCOUNTDISABLE*\" ScriptBlockText = \"*-UACFilter*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_none_disable_user_account_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_none_disable_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery for Sam Account Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "69934363-e1dd-4c49-8651-9d7663dd4d2f", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for \"samaccountname\" and \"pwdlastset\" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Account Discovery for Sam Account Name on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText IN (\"*samaccountname*\", \"*pwdlastset*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_for_sam_account_name_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_for_sam_account_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "cf056b65-44b2-4d32-9172-d6b6f081a376", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetUser*\" ScriptBlockText = \"*-PreauthNotRequire*\" | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_account_discovery_with_netuser_preauthnotrequire_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_account_discovery_with_netuser_preauthnotrequire_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Abnormal Object Access Activity", "author": "Steven Dick", "date": "2024-05-21", "version": 2, "id": "71b289db-5f2c-4c43-8256-8bf26ae7324a", "description": "The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_ad_abnormal_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 2, "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "description": "The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Cross Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-11", "version": 2, "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "description": "The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AD Domain Controller Promotion", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "description": "The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "AD Domain Controller Promotion Event Detected for $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Domain Replication ACL Addition", "author": "Dean Luxton", "date": "2024-05-16", "version": 2, "id": "8c372853-f459-4995-afdc-280c114d33ab", "description": "The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1484"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD DSRM Account Changes", "author": "Dean Luxton", "date": "2024-05-24", "version": 3, "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "description": "The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Disaster recovery events.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD DSRM Password Reset", "author": "Dean Luxton", "date": "2024-05-12", "version": 2, "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "description": "The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "DSRM Account Password was reset on $dest$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Privileged Account SID History Addition", "author": "Dean Luxton", "date": "2024-05-26", "version": 3, "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "description": "The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Privileged Object Access Activity", "author": "Steven Dick", "date": "2024-05-18", "version": 2, "id": "dc2f58bc-8cd2-4e51-962a-694b963acde0", "description": "The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.", "references": ["https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://attack.mitre.org/tactics/TA0007/"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "object_name", "type": "Other", "role": ["Attacker"]}], "message": "The account $user$ accessed $object_count$ privileged AD object(s).", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", "how_to_implement": "Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA.", "known_false_positives": "Service accounts or applications that routinely query Active Directory for information.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_ad_privileged_object_access_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated by User Account", "author": "Dean Luxton", "date": "2024-05-16", "version": 3, "id": "51307514-1236-49f6-8686-d46d93cc2821", "description": "The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.006", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "author": "Dean Luxton", "date": "2024-05-20", "version": 4, "id": "50998483-bb15-457b-a870-965080d9e3d3", "description": "The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"analytic_story": ["Credential Dumping", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003.006", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "datamodel": ["Authentication", "Change"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Same Domain SID History Addition", "author": "Dean Luxton", "date": "2024-05-22", "version": 3, "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "description": "The following analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute can be abused by adversaries to grant unauthorized access by inheriting permissions from another account. If confirmed malicious, this could allow attackers to maintain persistent access or escalate privileges within the domain, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1134.005", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "author": "Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 3, "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "description": "The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $ObjectDN$ was set by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "description": "The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Servince Principal Name for $user$ was set and shortly deleted", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "author": "Dean Luxton", "date": "2024-05-11", "version": 4, "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "description": "The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD Short Lived Server Object", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "description": "The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "Potential DCShadow Attack Detected on $Computer$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AD SID History Attribute Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "1155e47d-307f-4247-beab-71071e3a458c", "description": "The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1134", "T1134.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rename Computer as dest | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows AdFind Exe", "author": "Jose Hernandez, Bhavin Patel, Splunk", "date": "2024-05-13", "version": 4, "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "description": "The following analytic identifies the execution of `adfind.exe` with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["Domain Trust Discovery", "Graceful Wipe Out Attack", "IcedID", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows AdFind Exe", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admin Permission Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "e08620cb-9488-4052-832d-97bcc0afd414", "description": "The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "A file was created in root drive C:/ on host - $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\", \"*.dll\", \"*.sys\", \"*.com\", \"*.vbs\", \"*.vbe\", \"*.js\", \"*.bat\", \"*.cmd\", \"*.pif\", \"*.lnk\", \"*.dat\") by Filesystem.dest Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"C:\") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_admin_permission_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "description": "The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Admon Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "83458004-db60-4170-857d-8572f16f070b", "description": "The following analytic detects modifications to the default Group Policy Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to monitor updates to the \"Default Domain Policy\" and \"Default Domain Controllers Policy.\" This activity is significant because changes to these default GPOs can indicate an adversary with privileged access attempting to gain further control, establish persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A default domain group policy was updated on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Admon Group Policy Object Created", "author": "Mauricio Velazco, Splunk", "date": "2024-05-20", "version": 2, "id": "69201633-30d9-48ef-b1b6-e680805f0582", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, excluding default \"New Group Policy Object\" entries. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "message": "A new group policy objected was created on $dcName$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Base64 Content", "author": "Steven Dick, Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "683f48de-982f-4a7e-9aac-9cec550da498", "description": "The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.", "references": ["https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://blog.netwrix.com/2022/12/16/alternate_data_stream/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/file-stream-creation-hash.md"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1564", "T1564.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 NOT Contents IN (\"-\",\"[ZoneTransfer]*\") | regex TargetFilename=\"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "arguments": ["b64in"]}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_alternate_datastream___base64_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Alternate DataStream - Executable Content", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "a258bf2a-34fd-4986-8086-78f506e00206", "description": "The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.", "references": ["https://car.mitre.org/analytics/CAR-2020-08-001/", "https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams", "https://twitter.com/0xrawsec/status/1002478725605273600?s=21"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}, {"name": "file_hash", "type": "File Hash", "role": ["Attacker"]}], "message": "Base64 content written to an NTFS alternate data stream by $user$, see command field for details.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1564", "T1564.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 | regex TargetFilename=\"(? upperBound, \"Yes\", \"No\") | where anomaly=\"Yes\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_applocker_execution_from_uncommon_locations_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there. Upon tuning, modify to Anomaly or TTP.", "known_false_positives": "False positives are possible if legitimate users are executing applications from file paths that are not permitted by AppLocker. It is recommended to investigate the context of the application execution to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_applocker_execution_from_uncommon_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 2, "id": "bca48629-7fa2-40d3-9e5d-807564504e28", "description": "The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to bypass application restrictions was detected on a host $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040) | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime by dest, PolicyName, RuleId, user, TargetProcessId, FilePath, FullFilePath, EventCode | where attempt_count > 5 | sort - attempt_count | lookup applockereventcodes EventCode OUTPUT Description | `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk.", "known_false_positives": "False positives are possible if legitimate users are attempting to bypass application restrictions. This could occur if a user is attempting to run an application that is not permitted by AppLocker. It is recommended to investigate the context of the bypass attempt to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes.", "filename": "applockereventcodes.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows AppLocker Rare Application Launch Detection", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "9556f7b7-285f-4f18-8eeb-963d989f9d27", "description": "The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system.", "references": ["https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting"], "tags": {"analytic_story": ["Windows AppLocker"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An application launch that deviates from the norm was detected on a host $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`applocker` | spath input=UserData_Xml | rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user | stats dc(_time) as days, count by FullFilePath dest user | eventstats avg(count) as avg, stdev(count) as stdev | eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3) | where count > upperBound OR count < lowerBound | `windows_applocker_rare_application_launch_detection_filter`", "how_to_implement": "The analytic is designed to be run against Windows AppLocker event logs collected from endpoints with AppLocker enabled. If using Microsoft Defender for Endpoint (MDE), modify the analytic to use EventTypes/ActionTypes that match the block events for AppLocker. The analytic requires the AppLocker event logs to be ingested into Splunk. Note that, an additional method to reduce any false positives would be to add the specific EventCodes - 8003 or 8004 and filter from there.", "known_false_positives": "False positives are possible if legitimate users are launching applications that are not permitted by AppLocker. It is recommended to investigate the context of the application launch to determine if it is malicious or not. Modify the threshold as needed to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "applocker", "definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events."}, {"name": "windows_applocker_rare_application_launch_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5", "description": "The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Archive Collected Data via Powershell on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Compress-Archive*\" ScriptBlockText = \"*\\\\Temp\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to archive data.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_archive_collected_data_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Archive Collected Data via Rar", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "2015de95-fe91-413d-9d62-2fe011b67e82", "description": "The following analytic identifies the execution of RAR utilities to archive files on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line arguments. This activity is significant as threat actors, including red-teamers and malware like DarkGate, use RAR archiving to compress and exfiltrate collected data from compromised hosts. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive information to command and control servers, posing a severe risk to data confidentiality and integrity.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a Rar.exe commandline used in archiving collected data in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1560.001", "T1560"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"Rar.exe\" OR Processes.original_file_name = \"Rar.exe\" AND Processes.process = \"*a*\" Processes.process = \"* -ep1*\" Processes.process = \"* -r*\" Processes.process = \"* -y*\" Processes.process = \"* -v5m*\" Processes.process = \"* -m1*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_rar_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_archive_collected_data_via_rar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AutoIt3 Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "0ecb40d9-492b-4a57-9f87-515dd742794c", "description": "The following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows GUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for process names or original file names matching 'autoit3.exe'. This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this activity could lead to unauthorized code execution, system compromise, or further propagation of malware within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Other"]}], "message": "Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autoit3_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "description": "The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "description": "The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.013", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "99d157cb-923f-4a00-aee9-1f385412146f", "description": "The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process dropped a file in %startup% folder in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows BootLoader Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "description": "The following analytic identifies the bootloader paths on Windows endpoints. It leverages a PowerShell Scripted input to capture this data, which is then processed and aggregated using Splunk. Monitoring bootloader paths is significant for a SOC as it helps detect unauthorized modifications that could indicate bootkits or other persistent threats. If confirmed malicious, such activity could allow attackers to maintain persistence, bypass security controls, and potentially control the boot process, leading to full system compromise.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of BootLoaders are present on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1542.001", "T1542"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "cce58e2c-988a-4319-9390-0daa9eefa3cd", "description": "The following analytic detects the execution of the deprecated 'pkgmgr.exe' process with an XML input file, which is unusual and potentially suspicious. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process execution details and command-line arguments. The significance lies in the deprecated status of 'pkgmgr.exe' and the use of XML files, which could indicate an attempt to bypass User Account Control (UAC). If confirmed malicious, this activity could allow an attacker to execute commands with elevated privileges, leading to potential system compromise and unauthorized changes.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A pkgmgr.exe executed with package manager xml input file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = \"*.xml*\" NOT(Processes.parent_process_path IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"*:\\\\Program Files*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_bypass_uac_via_pkgmgr_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows CAB File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "622f08d0-69ef-42c2-8139-66088bc25acd", "description": "The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A .cab file was written to disk on endpoint $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.cab) by Filesystem.dest Filesystem.action Filesystem.process_id Filesystem.file_name | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cab_file_on_disk_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cab_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Cached Domain Credentials Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "description": "The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.005", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Change Default File Association For No File Ext", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "description": "The following analytic detects attempts to change the default file association for files without an extension to open with Notepad.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and registry modifications. This activity is significant as it can indicate an attempt to manipulate file handling behavior, a technique observed in APT and ransomware attacks like Prestige. If confirmed malicious, this could allow attackers to execute arbitrary code by tricking users into opening files, potentially leading to system compromise or data exfiltration.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1546.001", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "ab73289e-2246-4de0-a14b-67006c72a893", "description": "The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1115"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "description": "The following analytic detects the modification of the InProcServer32 registry key by reg.exe, indicative of potential COM hijacking. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. COM hijacking is significant as it allows adversaries to insert malicious code that executes in place of legitimate software, providing a means for persistence. If confirmed malicious, this activity could enable attackers to execute arbitrary code, disrupt legitimate system components, and maintain long-term access to the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.015", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and some filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "description": "The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of \"/..\", \"\\..\", or \"\\\\..\". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 3, "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "description": "The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Not known at this moment.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "description": "The following analytic detects the execution of a DCRat \"forkbomb\" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059.003", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Command Shell Fetch Env Variables", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "description": "The following analytic identifies a suspicious process command line fetching environment variables with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity is significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a", "description": "The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.", "references": ["https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", "https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A", "DarkCrystal RAT", "Disabling Security Tools", "FIN7", "Netsh Abuse", "Qakbot", "Sandworm Tools", "Volt Typhoon", "Windows Defense Evasion Tactics", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "series of process commandline being abused by threat actor have been identified on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*Cmdline Tool Not Executed In CMD Shell*\", \"*Windows System Network Config Discovery Display DNS*\", \"*Local Account Discovery With Wmic*\", \"*Net Localgroup Discovery*\", \"*Create local admin accounts using net exe*\", \"*Local Account Discovery with Net*\", \"*Icacls Deny Command*\", \"*ICACLS Grant Command*\", \"*Windows Proxy Via Netsh*\", \"*Processes launching netsh*\", \"*Disabling Firewall with Netsh*\", \"*Windows System Network Connections Discovery Netsh*\", \"*Network Connection Discovery With Arp*\", \"*Windows System Discovery Using ldap Nslookup*\", \"*Windows System Shutdown CommandLine*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_common_abused_cmd_shell_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Computer Account Created by Computer Account", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "description": "The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) \"RestrictedKrbHost\". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack).", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!=\"NT AUTHORITY\" ServicePrincipalNames=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "description": "The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Computer Account With SPN", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 3, "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "description": "The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4741 NewUacValue=\"0x80\" ServicePrincipalNames IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows ConHost with Headless Argument", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "d5039508-998d-4cfc-8b5e-9dcd679d9a62", "description": "The following analytic detects the unusual invocation of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring for command-line executions where conhost.exe is executed with the --headless argument. This activity is significant for a SOC as it is not commonly used in legitimate operations and may indicate an attacker's attempt to execute commands stealthily. If confirmed malicious, this behavior could lead to persistence, lateral movement, or other malicious activities, potentially resulting in data exfiltration or system compromise.", "references": ["https://x.com/embee_research/status/1559410767564181504?s=20", "https://x.com/GroupIB_TI/status/1719675754886131959?s=20"], "tags": {"analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows ConHost with Headless Argument detected on $dest$ by $user$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1564.003", "T1564.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=conhost.exe Processes.process=\"*--headless *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_conhost_with_headless_argument_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the application is legitimately used, filter by user or endpoint as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_conhost_with_headless_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Create Local Account", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "description": "The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"analytic_story": ["Active Directory Password Spraying"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The following $user$ was added to $dest$ as a local account.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1136.001", "T1136"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "datamodel": ["Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credential Access From Browser Password Store", "author": "Teoderick Contreras, Bhavin Patel Splunk", "date": "2024-05-29", "version": 2, "id": "72013a8e-5cea-408a-9d51-5585386b4d69", "description": "The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-common browser process $process_name$ accessing browser user data folder on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | lookup browser_app_list browser_object_path as object_file_path OUTPUT browser_process_name isAllowed | stats count min(_time) as firstTime max(_time) as lastTime values(object_file_name) values(object_file_path) values(browser_process_name) as browser_process_name by dest process_name process_path process_id EventCode isAllowed | rex field=process_name \"(?[^\\\\\\\\]+)$\" | eval isMalicious=if(match(browser_process_name, extracted_process_name), \"0\", \"1\") | where isMalicious=1 and isAllowed=\"false\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_access_from_browser_password_store_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\" This search may trigger on a browser application that is not included in the browser_app_list lookup file.", "known_false_positives": "The lookup file `browser_app_list` may not contain all the browser applications that are allowed to access the browser user data profiles. Consider updating the lookup files to add allowed object paths for the browser applications that are not included in the lookup file.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credential_access_from_browser_password_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction.", "filename": "browser_app_list.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "description": "The following analytic detects the use of CreateDump.exe to perform a process dump. This binary is not native to Windows and is often introduced by third-party applications, including PowerShell 7. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete command-line executions. This activity is significant as it may indicate an attempt to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, this could lead to unauthorized access and lateral movement within the network.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "description": "The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "CISA AA23-347A", "DarkGate Malware", "Phemedrone Stealer", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "description": "The following analytic detects non-Chrome processes accessing the Chrome \"Local State\" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "description": "The following analytic identifies non-Chrome processes accessing the Chrome user data file \"login data.\" This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["Amadey", "DarkGate Malware", "NjRAT", "Phemedrone Stealer", "RedLine Stealer", "Snake Keylogger", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Creation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "c0c5a479-bf57-4ca0-af3a-4c7081e5ba05", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is used to create stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because cmdkey.exe is often abused by post-exploitation tools and malware, such as Darkgate, to gain unauthorized access. If confirmed malicious, this behavior could allow attackers to escalate privileges and maintain persistence on the targeted host, facilitating further attacks and potential data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to create stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/generic*\" Processes.process IN (\"*/user*\", \"*/password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_creation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "46d676aa-40c6-4fe6-b917-d23b621f0f89", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe with the /delete parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. The activity is significant because cmdkey.exe can be used by attackers to delete stored credentials, potentially leading to privilege escalation and persistence. If confirmed malicious, this behavior could allow attackers to remove stored user credentials, hindering incident response efforts and enabling further unauthorized access to the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to delete stored credentials", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/delete*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials from Password Stores Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "description": "The following analytic detects the execution of the Windows OS tool cmdkey.exe, which is often abused by post-exploitation tools like winpeas, commonly used in ransomware attacks to list stored usernames, passwords, or credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it indicates potential credential harvesting, which can lead to privilege escalation and persistence. If confirmed malicious, attackers could gain unauthorized access to sensitive information and maintain control over compromised systems for further exploitation.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["DarkGate Malware", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Credentials in Registry Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "description": "The following analytic identifies processes querying the registry for potential passwords or credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that access specific registry paths known to store sensitive information. This activity is significant as it may indicate credential theft attempts, often used by adversaries or post-exploitation tools like winPEAS. If confirmed malicious, this behavior could lead to privilege escalation, persistence, or lateral movement within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "reg query commandline $process$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.002", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Download to Suspicious Path", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "c32f091e-30db-11ec-8738-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to download a file to a suspicious location, such as AppData, ProgramData, or Public directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include the -O or --output options. This activity is significant because downloading files to these locations can indicate an attempt to bypass security controls or establish persistence. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further compromise of the system.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"analytic_story": ["Forest Blizzard", "IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Curl Upload to Remote Destination", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "42f8f1a2-4228-11ec-aade-acde48001122", "description": "The following analytic detects the use of Windows Curl.exe to upload a file to a remote destination. It identifies command-line arguments such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity is significant because adversaries may use Curl to exfiltrate data or upload malicious payloads. If confirmed malicious, this could lead to data breaches or further compromise of the system. Analysts should review parallel processes and network logs to determine if the upload was successful and isolate the endpoint if necessary.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-24", "version": 3, "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "description": "The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"analytic_story": ["Data Destruction", "Swift Slicer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}], "message": "The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "The uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. A filter is necessary to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Debugger Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "e14d94a3-07fb-4b47-8406-f5e37180d422", "description": "This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "a debugger $process_name$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"x32dbg.exe\" OR Processes.process_name = \"x64dbg.exe\" OR Processes.process_name = \"windbg.exe\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_debugger_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator or IT professional may execute this application for verifying files or debugging application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_debugger_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "description": "The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1491"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 2, "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 2, "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "description": "The following analytic detects modifications to default Group Policy Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with specific GUIDs related to default GPOs. This activity is significant because default GPOs, such as the `Default Domain Controllers Policy` and `Default Domain Policy`, are critical for enforcing security policies across the domain. If malicious, such modifications could allow an attacker to gain further access, establish persistence, or deploy malware across numerous hosts, severely compromising the network's security.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1484", "T1484.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Defender ASR Audit Events", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea", "description": "This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR audit event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1566.001", "T1566.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | stats count min(_time) as firstTime max(_time) as lastTime by host, Process_Name, Target_Commandline, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_audit_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_audit_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Block Events", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "026f5f4e-e99f-4155-9e63-911ba587300b", "description": "This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR block event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1566.001", "T1566.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | stats count min(_time) as firstTime max(_time) as lastTime by host, Path, Parent_Commandline, Process_Name, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_block_events_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_block_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Registry Modification", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "6a1b6cbe-6612-44c3-92b9-1a1bd77412eb", "description": "The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR registry modification event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rule Disabled", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "429d611b-3183-49a7-b235-fc4203c4e1cb", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "references": ["https://asrgen.streamlit.app/"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "ASR rule disabled event, $ASR_Rule$, was triggered on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | search New_Registry_Value=\"Disabled\" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name.", "known_false_positives": "False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rule_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender ASR Rules Stacking", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "425a6657-c5e4-4cbb-909e-fc9e5d326f01", "description": "The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"analytic_story": ["Windows Attack Surface Reduction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "ASR_Rule", "type": "Unknown", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An ASR rule, $ASR_Rule$, was triggered on $dest$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566.001", "T1566.002", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`ms_defender` EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007) | stats count min(_time) as firstTime max(_time) as lastTime by host Parent_Commandline, Process_Name, Path, ID, EventCode | lookup asr_rules ID OUTPUT ASR_Rule | fillnull value=NULL | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rules_stacking_filter`", "how_to_implement": "The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired.", "known_false_positives": "False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "ms_defender", "definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_defender_asr_rules_stacking_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.", "filename": "asr_rules.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Defender Exclusion Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 4, "id": "13395a44-4dd9-11ec-9df7-acde48001122", "description": "The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Azorult", "Qakbot", "Remcos", "Warzone RAT", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Delete or Modify System Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "b188d11a-eba7-419d-b8b6-cc265b4f2c4f", "description": "The following analytic identifies 'netsh' processes that delete or modify firewall configurations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific keywords. This activity is significant because it can indicate malware, such as NJRAT, attempting to alter firewall settings to evade detection or remove traces. If confirmed malicious, this behavior could allow an attacker to disable security measures, facilitating further compromise and persistence within the network.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ deleted a firewall configuration on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* firewall *\" Processes.process = \"* delete *\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_delete_or_modify_system_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may modify or delete firewall configuration.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_delete_or_modify_system_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "description": "The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Change Password Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "datamodel": ["Endpoint", "Change"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 4, "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable LogOff Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "description": "The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"NoLogOff\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Memory Crash Dump", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 3, "id": "59e54602-9680-11ec-a8a6-acde48001122", "description": "The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process was identified attempting to disable memory crash dumps on $dest$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Notification Center", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 4, "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "description": "The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Windows notification center was disabled on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a43ae66f-c410-4b3d-8741-9ce1ad17ddb0", "description": "The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "message": "A taskkill process to terminate process is executed on host- $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562", "T1562.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" Processes.process IN (\"* /f*\", \"* /t*\") Processes.process IN (\"* /im*\", \"* /pid*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Network administrator can use this application to kill process during audit or investigation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_or_modify_tools_via_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Shutdown Button Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "description": "The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "description": "The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["CISA AA23-347A", "IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.002", "T1562", "T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 5, "id": "63a449ae-9f04-11ec-945e-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"analytic_story": ["CISA AA23-347A", "Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to disable windows group policy features on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DisableAntiSpyware Registry", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "date": "2024-05-28", "version": 3, "id": "23150a40-9301-4195-b802-5bb4f43067fb", "description": "The following analytic detects the modification of the Windows Registry key \"DisableAntiSpyware\" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"DisableAntiSpyware\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"analytic_story": ["Azorult", "CISA AA22-264A", "CISA AA23-347A", "RedLine Stealer", "Ryuk Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DiskCryptor Usage", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "description": "The following analytic detects the execution of DiskCryptor, identified by the process names \"dcrypt.exe\" or \"dcinst.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. DiskCryptor is significant because adversaries use it to manually encrypt disks during an operation, potentially leading to data inaccessibility. If confirmed malicious, this activity could result in complete disk encryption, causing data loss and operational disruption. Immediate investigation is required to mitigate potential ransomware attacks.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1486"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Diskshadow Proxy Execution", "author": "Lou Stella, Splunk", "date": "2024-05-18", "version": 2, "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "description": "The following analytic detects the use of DiskShadow.exe in scripting mode, which can execute arbitrary unsigned code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions with scripting mode flags. This activity is significant because DiskShadow.exe is typically used for legitimate backup operations, but its misuse can indicate an attempt to execute unauthorized code. If confirmed malicious, this could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible Signed Binary Proxy Execution on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DISM Remove Defender", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "8567da9e-47f0-11ec-99a9-acde48001122", "description": "The following analytic detects the use of `dism.exe` to remove Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific parameters for disabling and removing Windows Defender. This activity is significant because adversaries may disable Defender to evade detection and carry out further malicious actions undetected. If confirmed malicious, this could lead to the attacker gaining persistent access, executing additional payloads, or exfiltrating sensitive data without being intercepted by Windows Defender.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 5, "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "description": "The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.", "references": ["https://hijacklibs.net/"], "tags": {"analytic_story": ["Living Off The Land", "Qakbot", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential Windows DLL Search Order Hijacking detected on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "description": "The following analytic detects DLL search order hijacking involving iscsicpl.exe. It identifies when iscsicpl.exe loads a malicious DLL from a new path, triggering the payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on child processes spawned by iscsicpl.exe. This activity is significant as it indicates a potential attempt to execute unauthorized code via DLL hijacking. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows DLL Side-Loading In Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "af01f6db-26ac-440e-8d89-2793e303f137", "description": "The following analytic detects suspicious DLL modules loaded by calc.exe that are not located in the %systemroot%\\system32 or %systemroot%\\sysWoW64 directories. This detection leverages Sysmon EventCode 7 to identify DLL side-loading, a technique often used by Qakbot malware to execute malicious DLLs. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "description": "The following analytic identifies suspicious child processes spawned by calc.exe, indicative of DLL side-loading techniques. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, and parent processes. This activity is significant as it is commonly associated with Qakbot malware, which uses calc.exe to load malicious DLLs via regsvr32.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges, posing a severe threat to the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "calc.exe has a child process $process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DNS Gather Network Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "description": "The following analytic detects the use of the dnscmd.exe command to enumerate DNS records. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This activity is significant as it may indicate an adversary gathering network information, a common precursor to more targeted attacks. If confirmed malicious, this behavior could enable attackers to map the network, identify critical assets, and plan subsequent actions, potentially leading to data exfiltration or further compromise of the network.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A process commandline $process$ to enumerate dns record in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1590.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows DnsAdmins New Member Added", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 4, "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "description": "The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "A new member $user$ added to the DnsAdmins group by $src_user$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a7fbbc4e-4571-424a-b627-6968e1c939e4", "description": "The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as \"samaccountname,\" \"accountexpires,\" \"lastlogon,\" and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Windows Domain Account Discovery Via Get-NetComputer in $dest$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-NetComputer*\" ScriptBlockText IN (\"*samaccountname*\", \"*accountexpires*\", \"*lastlogon*\", \"*lastlogoff*\", \"*pwdlastset*\", \"*logoncount*\") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_account_discovery_via_get_netcomputer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_domain_account_discovery_via_get_netcomputer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Domain Admin Impersonation Indicator", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "10381f93-6d38-470a-9c30-d25478e3bd3f", "description": "The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.", "references": ["https://trustedsec.com/blog/a-diamond-in-the-ruff", "https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks", "https://github.com/GhostPack/Rubeus/pull/136", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "TargetUserName", "type": "User", "role": ["Victim"]}], "message": "$TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName IN (\"*$\", \"SYSTEM\", \"DWM-*\",\"LOCAL SERVICE\",\"NETWORK SERVICE\", \"ANONYMOUS LOGON\", \"UMFD-*\") | where match(GroupMembership, \"Domain Admins\") | stats count by _time, TargetUserName, GroupMembership, host | lookup domain_admins username as TargetUserName OUTPUT username | fillnull value=NotDA username | search username = \"NotDA\" | `windows_domain_admin_impersonation_indicator_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table.", "known_false_positives": "False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_domain_admin_impersonation_indicator_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "domain_admins", "description": "List of domain admins", "filename": "domain_admins.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": null, "min_matches": null, "fields_list": null}]}, {"name": "Windows DotNet Binary in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "fddf3b56-7933-11ec-98a6-acde48001122", "description": "The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system. It leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup using the `is_net_windows_file_macro` macro. This activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file_macro` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "is_net_windows_file_macro", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "description": "The following analytic identifies drivers being loaded across the fleet. It leverages a PowerShell script input deployed to critical systems to capture driver data. This detection is significant as it helps monitor for unauthorized or malicious drivers that could compromise system integrity. If confirmed malicious, such drivers could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Drivers have been identified on $dest$.", "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Driver Load Non-Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "9216ef3d-066a-4958-8f27-c84589465e62", "description": "The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1014", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Drivers Loaded by Signature", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "description": "The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"analytic_story": ["AgentTesla", "BlackByte Ransomware", "CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A driver has loaded on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1014", "T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by dest Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "description": "The following analytic detects the creation of a new DWORD value named \"EnableAt\" in the registry path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Event For Service Disabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 4, "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "description": "The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["RedLine Stealer", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Service $ServiceName$ was disabled on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_system` EventCode=7040 EventData_Xml=\"*disabled*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Event Log Cleared", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-12", "version": 8, "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "description": "The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"analytic_story": ["CISA AA22-264A", "Clop Ransomware", "Ransomware", "Windows Log Manipulation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1070", "T1070.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest name EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 2, "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "description": "The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Excessive Disabled Services Event", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "c3f85976-94a5-11ec-9a58-acde48001122", "description": "The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7040 \"disabled\" | stats count values(EventData_Xml) as MessageList dc(EventData_Xml) as MessageCount min(_time) as firstTime max(_time) as lastTime by Computer EventCode UserID | rename Computer as dest | where count >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Executable in Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "3e27af56-fcf0-4113-988d-24969b062be7", "description": "The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An executable $ImageLoaded$ loaded by $Image$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1129"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 ImageLoaded= *.exe | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_executable_in_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "description": "The following analytic detects arbitrary command execution using Windows msdt.exe, a Diagnostics Troubleshooting Wizard. It leverages Endpoint Detection and Response (EDR) data to identify instances where msdt.exe is invoked via the ms-msdt:/ protocol handler to retrieve a remote payload. This activity is significant as it can indicate an exploitation attempt leveraging msdt.exe to execute arbitrary commands, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment, posing a severe security risk.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "description": "The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "description": "The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 3, "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "description": "The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Share Discovery With Powerview", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "description": "The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "description": "The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows File Without Extension In Critical Folder", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-22", "version": 2, "id": "0dbcac64-963c-11ec-bf04-acde48001122", "description": "The following analytic detects the creation of files without extensions in critical folders like \"System32\\Drivers.\" It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "c76b796c-27e1-4520-91c4-4a58695c749e", "description": "The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1222.001", "T1222"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\") AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "0ada2f82-b7af-40cc-b1d7-1e5985afcb4e", "description": "The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_domain_organizational_units_with_getdomainou_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "e4a96dfd-667a-4487-b942-ccef5a1e81e8", "description": "The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Findstr GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-29", "version": 2, "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "description": "The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Findstr was executed to discover GPP credentials on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552", "T1552.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Forest Discovery with GetForestDomain", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "a14803b2-4bd9-4c08-8b57-c37980edebe8", "description": "The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_forest_discovery_with_getforestdomain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Host Information Camera", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 3, "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "description": "The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A Powershell script to enumerate camera detected on host - $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592.001", "T1592"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera on $dest$.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Identity SAM Info", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "description": "The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $dest$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1589.001", "T1589"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 3, "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "description": "The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like \"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "DarkCrystal RAT", "Phemedrone Stealer", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process connecting IP location web services on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1590.005", "T1590"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.*\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\", \"*geoip.*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-13", "version": 3, "id": "c8640777-469f-4638-ab44-c34a3233ffac", "description": "The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADComputer*\" AND ScriptBlockText = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "date": "2024-05-22", "version": 2, "id": "d2988160-3ce9-4310-b59d-905334920cdd", "description": "The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/", "https://attack.mitre.org/techniques/T1087/002/", "https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_get_local_admin_with_findlocaladminaccess_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Group Policy Object Created", "author": "Mauricio Velazco", "date": "2024-05-17", "version": 2, "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "description": "The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "message": "A new group policy objected was created by $User$", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1484", "T1484.001", "T1078.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Hidden Schedule Task Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "description": "The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"analytic_story": ["Active Directory Discovery", "CISA AA22-257A", "Data Destruction", "Industroyer2", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A schedule task with hidden setting enable in host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Hide Notification Features Through Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 4, "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "description": "The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification to hide windows notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows High File Deletion Frequency", "author": "Teoderick Contreras, Splunk, Steven Dick", "date": "2024-05-18", "version": 3, "id": "45b125c4-866f-11eb-a95a-acde48001122", "description": "The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Data Destruction", "Sandworm Tools", "Swift Slicer", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "Elevated file deletion rate observed from process [$process_name$] on machine $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1485"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") NOT TargetFilename IN (\"*\\\\INetCache\\\\Content.Outlook\\\\*\") | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to ingest logs that include the deleted target file name, process name, and process ID from your endpoints. If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.", "known_false_positives": "Users may delete a large number of pictures or files in a folder, which could trigger this detection. Additionally, heavy usage of PowerBI and Outlook may also result in false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "description": "The following analytic detects a process loading a version.dll file from a directory other than %windir%\\system32 or %windir%\\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Hunting System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "description": "The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Identify Protocol Handlers", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 3, "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "description": "The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows IIS Components Add New Module", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "description": "The following analytic detects the execution of AppCmd.exe to install a new module in IIS. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use it to install webshells or backdoors, leading to credit card scraping, persistence, and further post-exploitation. If confirmed malicious, this could allow attackers to maintain persistent access, execute arbitrary code, and potentially exfiltrate sensitive information from the compromised web server.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "author": "Michael Haag, Splunk", "date": "2024-05-03", "version": 2, "id": "20db5f70-34b4-4e83-8926-fa26119de173", "description": "The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components", "WS FTP Server Critical Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "IIS Modules have been listed on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505.004", "T1505"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows IIS Components Module Failed to Load", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "description": "The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows IIS Components New Module Added", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "description": "The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "description": "The following analytic detects the use of a PowerShell commandlet to import an AppLocker XML policy. This behavior is identified by monitoring processes that execute the \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" commands with the \"-XMLPolicy\" parameter. This activity is significant because it can indicate an attempt to disable or bypass security controls, as seen in the Azorult malware. If confirmed malicious, this could allow an attacker to disable antivirus products, leading to further compromise and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker importing xml policy command was executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5211c260-820e-4366-b983-84bbfb5c263a", "description": "The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the \"ServiceKeepAlive\" registry path with a value of \"0x00000001\". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "change in the health check interval of Windows Defender on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\ServiceKeepAlive\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_health_check_intervals_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_health_check_intervals_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "783f0798-f679-4c17-b3b3-187febf0b9b8", "description": "The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"QuickScanInterval\" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender QuickScanInterval feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Scan\\\\QuickScanInterval\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_quick_scan_interval_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "f7da5fca-9261-43de-a4d0-130dad1e4f4d", "description": "The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\ThrottleDetectionEventsRate\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_throttle_rate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_throttle_rate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "fe9391cd-952a-4c64-8f56-727cb0d4f2d4", "description": "The following analytic detects modifications to the Windows registry specifically targeting the \"WppTracingLevel\" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender WppTracingLevel registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\WppTracingLevel\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_change_win_defender_tracing_level_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_change_win_defender_tracing_level_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Configure App Install Control", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "c54b7439-cfb1-44c3-bb35-b0409553077c", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender App Install Control registry set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControl\" Registry.registry_value_data= \"Anywhere\") OR (Registry.registry_path= \"*\\\\Microsoft\\\\Windows Defender\\\\SmartScreen\\\\ConfigureAppInstallControlEnabled\" Registry.registry_value_data= \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_configure_app_install_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_configure_app_install_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7215831c-8252-4ae3-8d43-db588e82f952", "description": "The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Define Windows Defender threat action through registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Threats\\\\ThreatSeverityDefaultAction*\" Registry.registry_value_data IN (\"0x00000001\", \"9\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_define_win_defender_threat_action_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_define_win_defender_threat_action_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "description": "The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender context menu registry key deleted on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "description": "The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "description": "The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a \"Deny\" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "3032741c-d6fc-4c69-8988-be8043d6478c", "description": "The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender ControlledFolderAccess feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_controlled_folder_access_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_controlled_folder_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "8467d8cd-b0f9-46fa-ac84-a30ad138983e", "description": "The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender firewall and network protection section feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender Security Center\\\\Firewall and network protection\\\\UILockdown\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_firewall_and_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_firewall_and_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "b2215bfb-6171-4137-af17-1a02fdd8d043", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableProtocolRecognition\" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Protocol Recognition set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\DisableProtocolRecognition\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_defender_protocol_recognition_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_defender_protocol_recognition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable PUA Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "fbfef407-cfee-4866-88c1-f8de1c16147c", "description": "The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender PUA protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\PUAProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_pua_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_pua_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "ffd99aea-542f-448e-b737-091c1b417274", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File realtime signature delivery set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\RealtimeSignatureDelivery\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_realtime_signature_delivery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_realtime_signature_delivery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "e234970c-dcf5-4f80-b6a9-3a562544ca5b", "description": "The following analytic detects modifications to the Windows registry entry \"EnableWebContentEvaluation\" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to \"0x00000000\". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender web content evaluation feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\EnableWebContentEvaluation\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_web_evaluation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_web_evaluation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "8b700d7e-54ad-4d7d-81cc-1456c4703306", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender AuditApplicationGuard feature set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\AppHVSI\\\\AuditApplicationGuard\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_app_guard_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_app_guard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "fe52c280-98bd-4596-b6f6-a13bbf8ac7c6", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender File hashes computation set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\MpEngine\\\\EnableFileHashComputation\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "93f114f6-cb1e-419b-ac3f-9e11a3045e70", "description": "The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"DisableGenericRePorts\" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableGenericRePorts registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Reporting\\\\DisableGenericRePorts\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_gen_reports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_gen_reports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "8b6c15c7-5556-463d-83c7-986326c21f12", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Exploit Guard network protection set to disable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Network Protection\\\\EnableNetworkProtection\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_network_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_network_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "201946c6-b1d5-42bb-a7e0-5f7123f47fc4", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"DontReportInfectionInformation\" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DontReportInfectionInformation registry is enabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\MRT\\\\DontReportInfectionInformation\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_report_infection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_report_infection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "0418e72f-e710-4867-b656-0688e1523e09", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the \"DisableScanOnUpdate\" registry setting with a value of \"0x00000001\". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableScanOnUpdate feature set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Signature Updates\\\\DisableScanOnUpdate\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_scan_on_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_scan_on_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "7567a72f-bada-489d-aef1-59743fb64a66", "description": "The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender DisableSignatureRetirement registry is set to enable on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\DisableSignatureRetirement\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_disable_win_defender_signature_retirement_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_disable_win_defender_signature_retirement_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "10ca081c-57b1-4a78-ba56-14a40a7e116a", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Phishing Filter registry was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = \"*\\\\MicrosoftEdge\\\\PhishingFilter\" Registry.registry_value_name IN (\"EnabledV9\", \"PreventOverride\") Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_overide_win_defender_phishing_filter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_overide_win_defender_phishing_filter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "08058866-7987-486f-b042-275715ef6e9d", "description": "The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"PreventSmartScreenPromptOverride\" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen prompt was override on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\Microsoft\\\\Edge\\\\PreventSmartScreenPromptOverride\" Registry.registry_value_data= \"0x00000000\" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_override_smartscreen_prompt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_override_smartscreen_prompt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "cc2a3425-2703-47e7-818f-3dca1b0bc56f", "description": "The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to \"warn.\" This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to \"warn\" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.", "references": ["https://x.com/malmoeb/status/1742604217989415386?s=20", "https://github.com/undergroundwires/privacy.sexy"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender SmartScreen Level to Warn on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\System\\\\ShellSmartScreenLevel\" Registry.registry_value_data=\"Warn\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable HVCI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "description": "The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "HVCI has been disabled on $dest$.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "description": "The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"analytic_story": ["CISA AA23-347A", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indicator Removal Via Rmdir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "c4566d2c-b094-48a1-9c59-d66e22065560", "description": "The following analytic detects the execution of the 'rmdir' command with '/s' and '/q' options to delete files and directory trees. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. This activity is significant as it may indicate malware attempting to remove traces or components during cleanup operations. If confirmed malicious, this behavior could allow attackers to eliminate forensic evidence, hinder incident response efforts, and maintain persistence by removing indicators of compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process execute rmdir command to delete files and directory tree in $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1070"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*rmdir*\" Processes.process = \"* /s *\" Processes.process = \"* /q *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indicator_removal_via_rmdir_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "user and network administrator can execute this command.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indicator_removal_via_rmdir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via forfiles", "author": "Eric McGinnis, Splunk", "date": "2024-05-28", "version": 2, "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "description": "The following analytic detects the execution of programs initiated by forfiles.exe. This command is typically used to run commands on multiple files, often within batch scripts. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where forfiles.exe is the parent process. This activity is significant because forfiles.exe can be exploited to bypass command line execution protections, making it a potential vector for malicious activity. If confirmed malicious, this could allow attackers to execute arbitrary commands, potentially leading to unauthorized access or further system compromise.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"analytic_story": ["Living Off The Land", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The forfiles command (forfiles.exe) launched the process name - $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via pcalua", "author": "Eric McGinnis, Splunk", "date": "2024-05-10", "version": 2, "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "description": "The following analytic detects programs initiated by pcalua.exe, the Microsoft Windows Program Compatibility Assistant. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process information. While pcalua.exe can start legitimate programs, it is significant because attackers may use it to bypass command line execution protections. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, potentially leading to unauthorized actions, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "description": "The following analytic detects excessive usage of the forfiles.exe process, which is often indicative of post-exploitation activities. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and parent process. This activity is significant because forfiles.exe can be abused to execute commands on multiple files, a technique used by ransomware like Prestige. If confirmed malicious, this behavior could allow attackers to enumerate files, potentially leading to data exfiltration or further malicious actions.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "excessive forfiles process execution in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1202"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Information Discovery Fsutil", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "2181f261-93e6-4166-a5a9-47deac58feff", "description": "The following analytic identifies the execution of the Windows built-in tool FSUTIL with the FSINFO parameter to discover file system information. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. Monitoring this activity is significant because FSUTIL can be abused by adversaries to gather detailed information about the file system, aiding in further exploitation. If confirmed malicious, this activity could enable attackers to map the file system, identify valuable data, and plan subsequent actions such as privilege escalation or persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1082"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 3, "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "description": "The following analytic identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because adversaries, such as those using DCRat malware, may abuse explorer.exe to open URLs with the default browser, which is an uncommon and suspicious behavior. If confirmed malicious, this technique could allow attackers to download and execute malicious payloads, leading to potential system compromise and further malicious activities.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InProcServer32 New Outlook Form", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4", "description": "The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566", "T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" Registry.registry_value_data=*\\\\FORMS\\\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are possible if the organization adds new forms to Outlook via an automated method. Filter by name or path to reduce false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_inprocserver32_new_outlook_form_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Input Capture Using Credential UI Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "description": "The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded $ImageLoaded$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1056.002", "T1056"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName dest EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Credential Theft", "author": "Michael Haag, Mauricio Velazo, Splunk", "date": "2024-05-18", "version": 5, "id": "ccfeddec-43ec-11ec-b494-acde48001122", "description": "The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically, this will not trigger because, by its very nature, InstallUtil does not require credentials. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil in Non Standard Path", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "dcf74b22-7933-11ec-857c-acde48001122", "description": "The following analytic detects the execution of InstallUtil.exe from non-standard paths. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and original file names outside typical directories. This activity is significant because InstallUtil.exe is often used by attackers to execute malicious code or scripts. If confirmed malicious, this behavior could allow an attacker to bypass security controls, execute arbitrary code, and potentially gain unauthorized access or persist within the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Data Destruction", "Living Off The Land", "Masquerading - Rename System Utilities", "Ransomware", "Signed Binary Proxy Execution InstallUtil", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Remote Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 4, "id": "4fbf9270-43da-11ec-9486-acde48001122", "description": "The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "description": "The following analytic detects the use of the Windows InstallUtil.exe binary with the `/u` (uninstall) switch, which can execute code while bypassing application control. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it can indicate an attempt to execute malicious code without administrative privileges. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise or persistence within the environment.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") NOT (Processes.process IN (\"*C:\\\\WINDOWS\\\\CCM\\\\*\")) NOT (Processes.parent_process_name IN (\"Microsoft.SharePoint.Migration.ClientInstaller.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_installutil_uninstall_option_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "1a52c836-43ef-11ec-a36c-acde48001122", "description": "The following analytic identifies the use of Windows InstallUtil.exe making a remote network connection using the `/u` (uninstall) switch. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and network activity data. This behavior is significant as it may indicate an attempt to download and execute code while bypassing application control mechanisms. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows InstallUtil URL in Command Line", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "28e06670-43df-11ec-a569-acde48001122", "description": "The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"analytic_story": ["Living Off The Land", "Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.004", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows ISO LNK File Creation", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 3, "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "description": "The following analytic detects the creation of .iso.lnk files in the %USER%\\AppData\\Local\\Temp\\\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Amadey", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Spearphishing Attachments", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566", "T1204.001", "T1204"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Java Spawning Shells", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 3, "id": "28c81306-5c47-11ec-bfea-acde48001122", "description": "The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). If confirmed malicious, attackers could execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Kerberos Local Successful Logon", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "8309c3a8-4d34-48ae-ad66-631658214653", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "datamodel": ["Authentication"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Known Abused DLL Created", "author": "Steven Dick", "date": "2024-05-17", "version": 2, "id": "ea91651a-772a-4b02-ac3d-985b364a5f07", "description": "The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.", "references": ["https://attack.mitre.org/techniques/T1574/002/", "https://hijacklibs.net/api/", "https://wietze.github.io/blog/hijacking-dlls-in-windows", "https://github.com/olafhartong/sysmon-modular/pull/195/files"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "The file [$file_name$] was written to an unusual location by [$process_name$] on [$dest$].", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.001", "T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!=\"unknown\" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name | `drop_dm_object_name(Processes)` | join max=0 process_guid dest [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\users\\\\*\",\"*\\\\Windows\\Temp\\\\*\",\"*\\\\programdata\\\\*\") Filesystem.file_name=\"*.dll\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc | lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded | search islibrary = TRUE AND excluded != TRUE | stats latest(*) as * by dest process_guid ] | where isnotnull(file_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_abused_dll_created_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` and `Filesystem` nodes of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic may flag instances where DLLs are loaded by user mode programs for entirely legitimate and benign purposes. It is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. This may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_known_abused_dll_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs_loaded.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Known GraphicalProton Loaded Modules", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "bf471c94-0324-4b19-a113-d02749b969bc", "description": "The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Known GraphicalProton backdoor Loaded Modules on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\AclNumsInvertHost.dll\", \"*\\\\ModeBitmapNumericAnimate.dll\", \"*\\\\UnregisterAncestorAppendAuto.dll\", \"*\\\\DeregisterSeekUsers.dll\", \"*\\\\ScrollbarHandleGet.dll\", \"*\\\\PerformanceCaptionApi.dll\", \"*\\\\WowIcmpRemoveReg.dll\", \"*\\\\BlendMonitorStringBuild.dll\", \"*\\\\HandleFrequencyAll.dll\", \"*\\\\HardSwapColor.dll\", \"*\\\\LengthInMemoryActivate.dll\", \"*\\\\ParametersNamesPopup.dll\", \"*\\\\ModeFolderSignMove.dll\", \"*\\\\ChildPaletteConnected.dll\", \"*\\\\AddressResourcesSpec.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_known_graphicalproton_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows KrbRelayUp Service Creation", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "e40ef542-8241-4419-9af4-6324582ea60a", "description": "The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was created on $dest$, related to KrbRelayUp.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode ImagePath ServiceName StartType ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "author": "Mauricio Velazco, Splunk", "date": "2024-05-11", "version": 2, "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "description": "The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135", "T1078"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Lateral Tool Transfer RemCom", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "description": "The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1570"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ldifde Directory Object Behavior", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "description": "The following analytic identifies the use of Ldifde.exe, a command-line utility for creating, modifying, or deleting LDAP directory objects. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution and command-line arguments. Monitoring Ldifde.exe is significant because it can be used by attackers to manipulate directory objects, potentially leading to unauthorized changes or data exfiltration. If confirmed malicious, this activity could allow an attacker to gain control over directory services, escalate privileges, or access sensitive information within the network.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1105", "T1069.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Linked Policies In ADSI Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "510ea428-4731-4d2f-8829-a28293e427aa", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on $user$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Local Administrator Credential Stuffing", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "description": "The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1110", "T1110.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "48cc1605-538c-4223-8382-e36bee5b540d", "description": "The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\NoLMHash\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lsa_secrets_nolmhash_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_lsa_secrets_nolmhash_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "description": "The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mark Of The Web Bypass", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "8ca13343-7405-4916-a2d1-ae34ce0c28ae", "description": "The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.", "references": ["https://attack.mitre.org/techniques/T1553/005/", "https://github.com/nmantani/PS-MOTW#remove-motwps1"], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A mark-of-the-web data stream is deleted on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=23 TargetFilename = \"*:Zone.Identifier\" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mark_of_the_web_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Explorer As Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "61490da9-52a1-4855-a0c5-28233c88c481", "description": "The following analytic identifies instances where explorer.exe is spawned by unusual parent processes such as cmd.exe, powershell.exe, or regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because explorer.exe is typically initiated by userinit.exe, and deviations from this norm can indicate code injection or process masquerading attempts by malware like Qakbot. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, evade detection, and maintain persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" AND Processes.process IN (\"*\\\\explorer.exe\") by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Masquerading Msdtc Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 2, "id": "238f3a07-8440-480b-b26f-462f41d9a47c", "description": "The following analytic identifies the execution of msdtc.exe with specific command-line parameters (-a or -b), which are indicative of the PlugX malware. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because PlugX uses these parameters to masquerade its malicious operations within legitimate processes, making it harder to detect. If confirmed malicious, this behavior could allow attackers to gain unauthorized access, exfiltrate data, and conduct espionage, severely compromising the affected system.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx"], "tags": {"analytic_story": ["PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "msdtc.exe process with process commandline used by PlugX malware in $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1036"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"msdtc.exe\" Processes.process = \"*msdtc.exe*\" Processes.process IN (\"* -a*\", \"* -b*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_masquerading_msdtc_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_masquerading_msdtc_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "description": "The following analytic identifies the execution of the native mimikatz.exe binary on Windows systems, including instances where the binary is renamed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because Mimikatz is a widely used tool for extracting authentication credentials, posing a severe security risk. If confirmed malicious, this activity could allow attackers to obtain sensitive credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and system compromise.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"analytic_story": ["CISA AA22-320A", "CISA AA23-347A", "Credential Dumping", "Flax Typhoon", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "description": "The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"analytic_story": ["CISA AA23-347A", "Sandworm Tools", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "6410a403-36bb-490f-a06a-11c3be7d2a41", "description": "The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for authentication level settings was modified on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Server Client\\\\AuthenticationLevelOverride\" Registry.registry_value_data = 0x00000000 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint", "Authentication"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_authenticationleveloverride_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Minor Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "description": "The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint", "Updates"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Auto Update Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "description": "The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update notification on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Default Icon Setting", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "description": "The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "cee573a0-7587-48e6-ae99-10e8c657e89a", "description": "The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Windows Modify Registry Disable Restricted Admin on $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin\" Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Administrator may change this registry setting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_restricted_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "description": "The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "author": "Teoderick Contreras, Splunk", "date": "2024-05-09", "version": 2, "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to disable Windows Defender notification on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "description": "The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4927c6f1-4667-42e6-bd7a-f5222116386b", "description": "The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disableremotedesktopantialias_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "989019b4-b7aa-418a-9a17-2293e91288b6", "description": "The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["CISA AA23-347A", "DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for terminal services settings was modified to disable security settings on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableSecuritySettings\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disablesecuritysettings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Disabling WER Settings", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "description": "The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disabled on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DisAllow Windows App", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "description": "The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry DontShowUI", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "4ff9767b-fdf2-489c-83a5-c6c34412d72e", "description": "The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for WER settings was modified to be disable show UI on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_dontshowui_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "93048164-3358-4af0-8680-aa5f38440516", "description": "The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows EnableLinkedConnections configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_enablelinkedconnections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry LongPathsEnabled", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "36f9626c-4272-4808-aadd-267acce681c0", "description": "The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"analytic_story": ["BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows LongPathEnable configuration on $dest$", "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_longpathsenabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "064cd09f-1ff4-4823-97e0-45c2f5b087ec", "description": "The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in max connection per server configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_maxconnectionperserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry No Auto Update", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "description": "The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "a2276412-e254-4e9a-9082-4d92edb6a3e0", "description": "The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to disable changing of wallpaper on $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\\NoChangingWallPaper\" Registry.registry_value_data = 1) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_nochangingwallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyEnable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5", "description": "The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to enable proxy on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyEnable\" Registry.registry_value_data = 0x00000001 by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyenable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry ProxyServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "12bdaa0b-3c59-4489-aae1-bff6d67746ef", "description": "The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry settings was modified to setup proxy server on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyServer\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_proxyserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "date": "2024-05-12", "version": 3, "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "description": "The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry with binary data created by $process_name$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Reg Restore", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "description": "The following analytic detects the execution of reg.exe with the \"restore\" parameter, indicating an attempt to restore registry backup data on a host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate post-exploitation actions, such as those performed by tools like winpeas, which use \"reg save\" and \"reg restore\" to manipulate registry settings. If confirmed malicious, this could allow an attacker to revert registry changes, potentially bypassing security controls and maintaining persistence.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "824dd598-71be-4203-bc3b-024f4cda340e", "description": "The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "5eb479b1-a5ea-4e01-8365-780078613776", "description": "The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.", "references": ["https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html", "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", "https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html"], "tags": {"analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Modify Registry behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*registry*\") All_Risk.annotations.mitre_attack.mitre_technique_id IN (\"*T1112*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "description": "The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry Tamper Protection", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "description": "The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification to tamper Windows Defender protection on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry USeWuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "4662c6b1-0754-455e-b9ff-3ee730af3ba8", "description": "The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A md5 registry value name $registry_value_name$ is created on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\*\" Registry.registry_value_data = \"Binary Data\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, \"\\\\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,\"^[0-9a-fA-F]{32}$\"),\"md5\",\"nonmd5\") | where validation_result = \"md5\" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_with_md5_reg_key_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry WuServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 2, "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "description": "The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification in Windows auto update configuration on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Registry wuStatusServer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "description": "The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a registry modification in Windows auto update configuration in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 4, "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "description": "The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "author": "Teoderick Contreras, Will Metcalf, Splunk", "date": "2024-05-10", "version": 2, "id": "cd6d7410-9146-4471-a418-49edba6dadc4", "description": "The following analytic detects suspicious modifications to system firewall rules, specifically allowing execution of applications from notable and potentially malicious file paths. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving firewall rule changes. This activity is significant as it may indicate an adversary attempting to bypass firewall restrictions to execute malicious files. If confirmed malicious, this could allow attackers to execute unauthorized code, potentially leading to further system compromise, data exfiltration, or persistence within the environment.", "references": ["https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.004", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" Processes.process IN (\"*\\\\windows\\\\fonts\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\windows\\\\debug\\\\*\", \"*\\\\Users\\\\Administrator\\\\Music\\\\*\", \"*\\\\Windows\\\\servicing\\\\*\", \"*\\\\Users\\\\Default\\\\*\",\"*Recycle.bin*\", \"*\\\\Windows\\\\Media\\\\*\", \"\\\\Windows\\\\repair\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\PerfLogs\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_system_firewall_with_notable_process_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_modify_system_firewall_with_notable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "description": "The following analytic detects the execution of MOFComp.exe loading a MOF file, often triggered by cmd.exe or powershell.exe, or from unusual paths like User Profile directories. It leverages Endpoint Detection and Response (EDR) data, focusing on process names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker using WMI for persistence or lateral movement. If confirmed malicious, it could allow the attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1546.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or file paths.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MOVEit Transfer Writing ASPX", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "description": "The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "396de86f-25e7-4b0e-be09-a330be35249d", "description": "The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059", "T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Mshta Execution In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-12", "version": 2, "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "description": "The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing \"mshta,\" \"javascript,\" \"vbscript,\" or \"WScript.Shell.\" This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSHTA Writing to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "efbcf8ee-bc75-47f1-8985-a5c638c4faf0", "description": "The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\\Windows\\Tasks` and `C:\\Windows\\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER", "Suspicious MSHTA Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ writing to $TargetFilename$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=11 Image=\"*\\\\mshta.exe\" TargetFilename IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_writing_to_world_writable_path_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The search focuses on EventCode 11 where the Image is `mshta.exe` and the TargetFilename is within world-writable directories such as `C:\\Windows\\Tasks`, `C:\\Windows\\Temp`, and others. The detection is designed to catch the initial file write operation by `mshta.exe` to these locations, which is indicative of an attempt to establish persistence or execute malicious code. The analytic can be modified to include additional world-writable directories as needed.", "known_false_positives": "False positives may occur if legitimate processes are writing to world-writable directories. It is recommended to investigate the context of the file write operation to determine if it is malicious or not. Modify the search to include additional known good paths for `mshta.exe` to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mshta_writing_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-06", "version": 2, "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "description": "The following analytic detects the execution of msiexec.exe with the /y switch parameter, which enables the loading of DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line arguments and parent-child process relationships. This activity is significant because it can indicate an attempt to register malicious DLLs, potentially leading to code execution or persistence on the system. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "9683271d-92e4-43b5-a907-1983bfb9f7fd", "description": "The following analytic detects the execution of the msiexec.exe process with the /HideWindow and rundll32 command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because it is a known tactic used by malware like QakBot to mask malicious operations under legitimate system processes. If confirmed malicious, this behavior could allow an attacker to download additional payloads, execute malicious code, or establish communication with remote servers, thereby evading detection and maintaining persistence.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a msiexec parent process with /hidewindow rundll32 process commandline in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = msiexec.exe Processes.process = \"* /HideWindow *\" Processes.process = \"* rundll32*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_hidewindow_rundll32_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Other possible 3rd party msi software installers use this technique as part of its installation process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_hidewindow_rundll32_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Remote Download", "author": "Michael Haag, Splunk", "date": "2024-05-08", "version": 2, "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "description": "The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn Discovery Command", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "description": "The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Spawn WinDBG", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "9a18f7c2-1fe3-47b8-9467-8b3976770a30", "description": "The following analytic identifies the unusual behavior of MSIExec spawning WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. This behavior is significant as it may indicate an attempt to debug or tamper with system processes, which is uncommon in typical user activity and could signify malicious intent. If confirmed malicious, this activity could allow an attacker to manipulate or inspect running processes, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name=windbg.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process_path Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_msiexec_spawn_windbg_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_windbg_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "description": "The following analytic detects the use of msiexec.exe with the /z switch parameter, which is used to unload DLLRegisterServer. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line arguments. This activity is significant because unloading DLLRegisterServer can be indicative of an attempt to deregister a DLL, potentially disrupting legitimate services or hiding malicious activity. If confirmed malicious, this could allow an attacker to disable security controls, evade detection, or disrupt system functionality, leading to further compromise of the environment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows MSIExec With Network Connections", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "description": "The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.007"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering is required.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "description": "The following analytic identifies DNS queries to known TOR proxy websites, such as \"*.torproject.org\" and \"www.theonionrouter.com\". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1071.003", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Multiple Account Passwords Changed", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "faefb681-14be-4f0d-9cac-0bc0160c7280", "description": "The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ changed the passwords of multiple accounts in a short period of time.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4724 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_account_passwords_changed_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_account_passwords_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Accounts Deleted", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "49c0d4d6-c55d-4d3a-b3d5-7709fafed70d", "description": "The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ deleted multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4726 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_deleted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_accounts_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Accounts Disabled", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "5d93894e-befa-4429-abde-7fc541020b7b", "description": "The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "message": "User $src_user$ disabled multiple accounts in a short period of time.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1098", "T1078"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4725 status=success | bucket span=10m _time | stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID | where unique_users > 5 | `windows_multiple_accounts_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events with the Windows TA. The Advanced Security Audit policy setting `Audit User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_accounts_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 3, "id": "001266a6-9d5b-11eb-829b-acde48001122", "description": "The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "57ad5a64-9df7-11eb-a290-acde48001122", "description": "The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 3, "id": "e61918fa-9ca4-11eb-836c-acde48001122", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-26", "version": 3, "id": "7ed272a4-9c77-11eb-af22-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 3, "id": "9015385a-9c84-11eb-bef2-acde48001122", "description": "The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack from $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 3, "id": "3a91a212-98a9-11eb-b86a-acde48001122", "description": "The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 3, "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Network Share Interaction With Net", "author": "Dean Luxton", "date": "2023-04-21", "version": 1, "id": "4dc3951f-b3f8-4f46-b412-76a483f72277", "description": "This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities.", "references": ["https://attack.mitre.org/techniques/T1135/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1135", "T1039"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.orig_process_name=\"net.exe\" OR Processes.orig_process_name=\"net1net[\\s\\.ex1]+view|net[\\s\\.ex1]+share|net[\\s\\.ex1]+use\\s.exe\") BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | regex process=\"net[\\s\\.ex1]+view|net[\\s\\.ex1]+share|net[\\s\\.ex1]+use\\s\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_with_net_filter`", "how_to_implement": "The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_network_share_interaction_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows New InProcServer32 Added", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0fa86e31-0f73-4ec7-9ca3-dc88e117f1db", "description": "The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ .", "risk_score": 2, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_new_inprocserver32_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 3, "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "description": "The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft AdvancedRun", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "description": "The following analytic detects the execution of AdvancedRun.exe, a tool with capabilities similar to remote administration programs like PsExec. It identifies the process by its name or original file name and flags common command-line arguments. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. Monitoring this activity is crucial as AdvancedRun can be used for remote code execution and configuration-based automation. If malicious, this could allow attackers to execute arbitrary commands, escalate privileges, or maintain persistence within the environment.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "Ransomware", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1588.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows NirSoft Utilities", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "description": "The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1588.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software_macro` | `windows_nirsoft_utilities_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "is_nirsoft_software_macro", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Njrat Fileless Storage via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "a5fffbbd-271f-4980-94ed-4fbf17f0af1c", "description": "The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a suspicious registry entry related to NjRAT keylloging registry in $dest$", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1027.011", "T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\[kl]\" OR Registry.registry_value_data IN (\"*[ENTER]*\", \"*[TAP]*\", \"*[Back]*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_njrat_fileless_storage_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "1166360c-d495-45ac-87a6-8948aac1fa07", "description": "The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A non-discord process $process_name$ accessing discord \"leveldb\" file on $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\discord\\\\Local Storage\\\\leveldb*\") AND process_name != *\\\\discord.exe AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_non_discord_app_access_discord_leveldb_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_non_discord_app_access_discord_leveldb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Non-System Account Targeting Lsass", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 3, "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "description": "The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_path", "type": "Process", "role": ["Parent Process"]}], "message": "A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Hunting", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "description": "The following analytic identifies the execution of Odbcconf.exe within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the process name is Odbcconf.exe. This activity is significant because Odbcconf.exe can be used by attackers to execute arbitrary commands or load malicious DLLs, potentially leading to code execution or persistence. If confirmed malicious, this behavior could allow an attacker to maintain access to the system, execute further malicious activities, or escalate privileges, posing a significant threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load DLL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "description": "The following analytic detects the execution of odbcconf.exe with the regsvr action to load a DLL. This is identified by monitoring command-line arguments in process creation logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to execute arbitrary code via DLL loading, a common technique used in various attack vectors. If confirmed malicious, this could allow an attacker to execute code with the privileges of the odbcconf.exe process, potentially leading to system compromise or further lateral movement.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Odbcconf Load Response File", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "description": "The following analytic detects the execution of odbcconf.exe with a response file, which may contain commands to load a DLL (REGSVR) or other instructions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to execute arbitrary code or load malicious DLLs, potentially leading to unauthorized actions. If confirmed malicious, this could allow an attacker to gain code execution, escalate privileges, or establish persistence within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.008"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Office Product Spawning MSDT", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 5, "id": "127eba64-c981-40bf-8589-1830638864a7", "description": "The following analytic detects a Microsoft Office product spawning the Windows msdt.exe process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt to exploit protocol handlers to bypass security controls, even if macros are disabled. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PaperCut NG Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "description": "The following analytic detects instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is pc-app.exe. This activity is significant as it may indicate an attacker attempting to gain unauthorized access or execute malicious commands on the system. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or further compromise of the affected environment.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Parent PID Spoofing with Explorer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-25", "version": 2, "id": "17f8f69c-5d00-4c88-9c6f-493bbdef20a1", "description": "The following analytic identifies a suspicious `explorer.exe` process with the `/root` command-line parameter. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and command-line data. The presence of `/root` in `explorer.exe` is significant as it may indicate parent process spoofing, a technique used by malware to evade detection. If confirmed malicious, this activity could allow an attacker to operate undetected, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment.", "references": ["https://x.com/CyberRaiju/status/1273597319322058752?s=20"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An explorer.exe process with process commandline $process$ on dest $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1134.004", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*explorer.exe*\" Processes.process=\"*/root,*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_parent_pid_spoofing_with_explorer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_parent_pid_spoofing_with_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Password Managers Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "description": "The following analytic identifies command-line activity that searches for files related to password manager software, such as \"*.kdbx*\" and \"*credential*\". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because attackers often target password manager databases to extract stored credentials, which can be used for further exploitation. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, enabling attackers to escalate privileges, move laterally, or exfiltrate critical data.", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1555.005"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "fca01769-5163-4b3a-ae44-de874adfc9bc", "description": "The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\\Local\\Microsoft\\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "tags": {"analytic_story": ["Outlook RCE CVE-2024-21378"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "an outlook process dropped dll file into $file_path$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name =\"*.dll\" Filesystem.file_path = \"*\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` | fields file_name file_path process_name process_path process dest file_create_time _time process_guid] | `windows_phishing_outlook_drop_dll_in_form_dir_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_outlook_drop_dll_in_form_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing PDF File Executes URL Link", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "description": "The following analytic detects suspicious PDF viewer processes spawning browser application child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it may indicate a PDF spear-phishing attempt where a malicious URL link is executed, leading to potential payload download. If confirmed malicious, this could allow attackers to execute code, escalate privileges, or persist in the environment by exploiting the user's browser to connect to a malicious site.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"analytic_story": ["Snake Keylogger", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 3, "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "description": "The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"analytic_story": ["AgentTesla", "Azorult", "Brute Ratel C4", "IcedID", "Qakbot", "Remcos", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Possible Credential Dumping", "author": "Michael Haag, Splunk", "date": "2024-05-31", "version": 4, "id": "e4723b92-7266-11ec-af45-acde48001122", "description": "The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-264A", "CISA AA23-347A", "Credential Dumping", "DarkSide Ransomware", "Detect Zerologon Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1003.001", "T1003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Post Exploitation Risk Behavior", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "edb930df-64c2-4bb7-9b5c-889ed53fb973", "description": "The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat"], "tags": {"analytic_story": ["Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"*Windows Post-Exploitation*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_post_exploitation_risk_behavior_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "datamodel": ["Risk"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_post_exploitation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "description": "The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing \"system.enterpriseservices.internal.publish\". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Cryptography Namespace", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 3, "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "description": "The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A suspicious powershell script contains cryptography command detected on host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Disable HTTP Logging", "author": "Michael Haag, Splunk", "date": "2024-05-05", "version": 2, "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "description": "The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562", "T1562.002", "T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "description": "The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "description": "The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "description": "The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Web"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell Import Applocker Policy", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "description": "The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059", "T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Powershell RemoteSigned File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "f7f7456b-470d-4a95-9703-698250645ff4", "description": "The following analytic identifies the use of the \"remotesigned\" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing \"remotesigned\" and \"-File\". This activity is significant because the \"remotesigned\" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3"], "tags": {"analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A PowerShell commandline with remotesigned policy executed on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_powershell_remotesigned_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell ScheduleTask", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "description": "The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.", "references": ["https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "message": "The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-ScheduledTask*\", \"*New-ScheduledTaskAction*\", \"*New-ScheduledTaskSettingsSet*\", \"*New-ScheduledTaskTrigger*\", \"*Register-ClusteredScheduledTask*\", \"*Register-ScheduledTask*\", \"*Set-ClusteredScheduledTask*\", \"*Set-ScheduledTask*\", \"*Start-ScheduledTask*\", \"*Enable-ScheduledTask*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_scheduletask_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "47c69803-2c09-408b-b40a-063c064cbb16", "description": "The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1059.001", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerSploit GPP Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "0130a0df-83a1-4647-9011-841e950ff302", "description": "The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1552", "T1552.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "author": "Mauricio Velazco, Splunk", "date": "2024-05-17", "version": 2, "id": "39405650-c364-4e1e-a740-32a63ef042a6", "description": "The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1078.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-31", "version": 2, "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "description": "The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView SPN Discovery", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "description": "The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "PowerView commandlets used for SPN discovery executed on $dest$", "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558", "T1558.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 3, "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "description": "The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "CISA AA23-347A", "Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$", "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1018"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\" OR ScriptBlockText = \"*Get-NetComputer*\") AND (ScriptBlockText = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Private Keys Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 2, "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "description": "The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment.", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552.004", "T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "author": "Steven Dick", "date": "2024-05-23", "version": 2, "id": "6a80300a-9f8a-4f22-bd3e-09ca577cfdfc", "description": "The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring or Sysmon EventID 1. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid, integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename user as src_user, parent_process* as orig_parent_process*, process* as parent_process* | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_integrity_level IN (\"system\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\")) OR (Processes.process_integrity_level IN (\"high\",\"system\") AND (Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") OR Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\"))) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename parent_process_guid as join_guid ] | where elevated_integrity_level > integrity_level OR user != elevated_user | fields dest, user, src_user, parent_process_name, parent_process, parent_process_path, parent_process_guid, parent_process_integrity_level, parent_process_current_directory, process_name, process, process_path, process_guid, process_integrity_level, process_current_directory, orig_parent_process_name, orig_parent_process, orig_parent_process_guid, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_suspicious_process_elevation_filter`", "how_to_implement": "Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.", "known_false_positives": "False positives may be generated by administrators installing benign applications using run-as/elevation.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_suspicious_process_elevation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "author": "Steven Dick", "date": "2024-05-28", "version": 2, "id": "5a5351cd-ba7e-499e-ad82-2ce160ffa637", "description": "The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=1 IntegrityLevel=\"system\" ParentUser=* NOT ParentUser IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"*DWM-*\",\"*$\",\"-\") | eval src_user = replace(ParentUser,\"^[^\\\\\\]+\\\\\\\\\",\"\") | stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name values(process) as process, values(process_path) as process_path, values(process_current_directory) as process_current_directory values(parent_process) as parent_process by dest, user, src_user, parent_process_name, parent_process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_system_process_without_system_parent_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data.", "known_false_positives": "Unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_privilege_escalation_system_process_without_system_parent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "author": "Steven Dick", "date": "2024-05-13", "version": 2, "id": "c9687a28-39ad-43c6-8bcf-eaf061ba0cbe", "description": "The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.", "references": ["https://attack.mitre.org/techniques/T1068/", "https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor", "https://redcanary.com/blog/getsystem-offsec/", "https://atomicredteam.io/privilege-escalation/T1134.001/"], "tags": {"analytic_story": ["Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Other", "role": ["Attacker"]}], "message": "The user $user$ launched a process [$process_name$] which spawned a system level integrity process [$system_process$].", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1068", "T1548", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\",\"high\") NOT Processes.user IN (\"*SYSTEM\",\"*LOCAL SERVICE\",\"*NETWORK SERVICE\",\"DWM-*\",\"*$\") AND Processes.process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_guid, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval join_guid = process_guid | join max=0 dest join_guid [| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"system\") AND Processes.parent_process_path IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\Temp\\\\*\",\"*\\\\ProgramData\\\\*\") by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid, process* as system_process*, user as system_user ] | fields dest, user, parent_process, parent_process_name, parent_process_guid, process, process_name, process_guid, process_integrity_level,process_path, process_current_directory, system_process_name, system_process, system_process_path, system_process_integrity_level, system_process_current_directory, system_user, firstTime, lastTime, count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_privilege_escalation_user_process_spawn_system_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 15.", "known_false_positives": "Unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_privilege_escalation_user_process_spawn_system_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Commandline Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "67d2a52e-a7e2-4a5d-ae44-a21212048bc2", "description": "The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to process commandline discovery detected on $dest$ using wmic.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1057"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process= \"* process *\" Processes.process= \"* get commandline *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_commandline_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_commandline_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "d131673f-ede1-47f2-93a1-0108d3e7fafd", "description": "The following analytic identifies instances of the searchindexer.exe process that are not spawned by services.exe, indicating potential process injection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes. This activity is significant because QakBot malware often uses a fake searchindexer.exe to evade detection and perform malicious actions such as data exfiltration and keystroke logging. If confirmed malicious, this activity could allow attackers to maintain persistence, steal sensitive information, and communicate with command and control servers.", "references": ["https://twitter.com/Max_Mal_/status/1736392741758611607", "https://twitter.com/1ZRR4H/status/1735944522075386332"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An uncommon non-service searchindexer.exe process in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != services.exe Processes.process_name=searchindexer.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_in_non_service_searchindexer_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_in_non_service_searchindexer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection into Notepad", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "description": "The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "description": "The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055.001", "T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Remote Thread", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "description": "The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Qakbot", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\",\"*\\\\cmd.exe\", \"*\\\\powershell.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection Wermgr Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "description": "The following analytic identifies a suspicious instance of wermgr.exe spawning a child process unrelated to error or fault handling. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant as it can indicate Qakbot malware, which injects malicious code into wermgr.exe to evade detection and execute malicious actions. If confirmed malicious, this behavior could allow an attacker to conduct reconnaissance, execute arbitrary code, and persist within the network, posing a severe security risk.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wermgr parent process has a child process $process_name$ in $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Injection With Public Source Path", "author": "Teoderick Contreras, Splunk", "date": "2024-05-10", "version": 2, "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "description": "The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1055", "T1055.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process With NamedPipe CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "e64399d4-94a8-11ec-a9da-acde48001122", "description": "The following analytic detects processes with command lines containing named pipes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. This behavior is significant as it is often used by adversaries, such as those behind the Olympic Destroyer malware, for inter-process communication post-injection, aiding in defense evasion and privilege escalation. If confirmed malicious, this activity could allow attackers to maintain persistence, escalate privileges, or evade defenses, potentially leading to further compromise of the system.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Process with named pipe in $process$ on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Process Writing File to World Writable Path", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "c051b68c-60f7-4022-b3ad-773bec7a225b", "description": "The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://research.splunk.com/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File", "role": ["Attacker"]}], "message": "A process wrote a file name- [$file_name$] to a world writable file path [$file_path$] on host- [$dest$].", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN (\"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\tracing\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\*\", \"*\\\\Windows\\\\PLA\\\\Templates\\\\*\", \"*\\\\Windows\\\\PLA\\\\Reports\\\\en-US\\\\*\", \"*\\\\Windows\\\\PLA\\\\Rules\\\\en-US\\\\*\", \"*\\\\Windows\\\\Registration\\\\CRMLog\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\*\", \"*\\\\Windows\\\\System32\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\*\", \"*\\\\Windows\\\\System32\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\SERVERS\\\\*\", \"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\*\", \"*\\\\Windows\\\\System32\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Com\\\\dmp\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\RemoteApp and Desktop Connections Update\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\Tasks\\\\Microsoft\\\\Windows\\\\PLA\\\\System\\\\*\") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file creation event, process name, file path and, file name. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may occur if legitimate software writes to these paths. Modify the search to include additional file name extensions. To enhance it further, adding a join on Processes.process_name may assist with restricting the analytic to specific process names. Investigate the process and file to determine if it is malicious.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_process_writing_file_to_world_writable_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "description": "The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like \"PServiceControl.exe\" and \"PService_PPD.exe\" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process was terminated $process_name$ in $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Protocol Tunneling with Plink", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "description": "The following analytic detects the use of Plink for protocol tunneling, either for egress or lateral movement within an organization. It identifies specific Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a severe threat to the organization's security.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1021.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "description": "The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"portproxy\" and \"v4tov4\" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1090.001", "T1090"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Proxy Via Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "0270455b-1385-4579-9ac5-e77046c508ae", "description": "The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A registry modification for port proxy in$dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1090.001", "T1090"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry Browser List Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "description": "The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process accessing installed default browser registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Query Registry Reg Save", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "description": "The following analytic detects the execution of the reg.exe process with the \"save\" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the \"reg save\" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["CISA AA23-347A", "Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Query Registry UnInstall Program List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "description": "The following analytic detects a suspicious query on the uninstall application list in the Windows OS registry. It leverages Windows Security Event logs, specifically event code 4663, to identify access to the \"Uninstall\" registry key. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1012"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Raccine Scheduled Task Deletion", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "c9f010da-57ab-11ec-82bd-acde48001122", "description": "The following analytic identifies the deletion of the Raccine Rules Updater scheduled task using the `schtasks.exe` command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may delete this task to disable Raccine, a tool designed to prevent ransomware attacks. If confirmed malicious, this action could allow ransomware to execute without interference, leading to potential data encryption and loss.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1562.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, however filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-16", "version": 2, "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "description": "The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1003.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Rasautou DLL Execution", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "description": "The following analytic detects the execution of an arbitrary DLL by the Windows Remote Auto Dialer (rasautou.exe). This behavior is identified by analyzing process creation events where rasautou.exe is executed with specific command-line arguments. This activity is significant because it leverages a Living Off The Land Binary (LOLBin) to execute potentially malicious code, bypassing traditional security controls. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise, privilege escalation, or persistent access within the environment.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055.001", "T1218", "T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Disk Volume Partition", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "a85aa37e-9647-11ec-90c5-acde48001122", "description": "The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process accessing disk partition $Device$ in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1561.002", "T1561"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "author": "Teoderick Contreras, Splunk", "date": "2024-05-11", "version": 2, "id": "7b83f666-900c-11ec-a2d9-acde48001122", "description": "The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["BlackByte Ransomware", "CISA AA22-264A", "Caddy Wiper", "Data Destruction", "Graceful Wipe Out Attack", "Hermetic Wiper", "NjRAT", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "process accessing MBR $Device$ on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1561.002", "T1561"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows RDP Connection Successful", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "description": "The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "BlackByte Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A successful RDP connection on $dest$ occurred.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1563.002"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry BootExecute Modification", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "description": "The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1542", "T1547.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Certificate Added", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "description": "The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing \"certificates\" and registry values named \"Blob.\" This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A root certificate was added on $dest$.", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.004", "T1553"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Delete Task SD", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "description": "The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions or modifications of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security. Immediate investigation is required.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"analytic_story": ["Scheduled Tasks", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "author": "Teoderick Contreras, Michael Haag, Splunk", "date": "2024-05-20", "version": 5, "id": "c6149154-c9d8-11eb-9da7-acde48001122", "description": "The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"analytic_story": ["Ransomware", "Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.001", "T1547"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry Payload Injection", "author": "Steven Dick", "date": "2024-05-10", "version": 2, "id": "c6b2d80f-179a-41a1-b95e-ce5601d7427a", "description": "The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://attack.mitre.org/techniques/T1027/011/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1027", "T1027.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_payload_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Registry SIP Provider Modification", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "3b4e18cb-497f-4073-85ad-1ada7c2107ab", "description": "The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows Registry SIP Provider Modification detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\*\", \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType*\") Registry.registry_value_name IN (\"Dll\",\"$DLL\") by Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Be aware of potential false positives - legitimate applications may cause benign activities to be flagged.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_registry_sip_provider_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Regsvr32 Renamed Binary", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "description": "The following analytic identifies instances where the regsvr32.exe binary has been renamed and executed. This detection leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe is significant as it can be an evasion technique used by attackers to bypass security controls. If confirmed malicious, this activity could allow an attacker to execute arbitrary DLLs, potentially leading to code execution, privilege escalation, or persistence within the environment.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "regsvr32 was renamed as $process_name$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1218.010", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "description": "The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219", "T1003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Access Software Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "description": "The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Remote Access Software RMS Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "description": "The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing \"SYSTEM\\\\Remote Manipulator System.\" This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry related to RMS tool is created in $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Assistance Spawning Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "ced50492-8849-11ec-9f68-acde48001122", "description": "The following analytic detects Microsoft Remote Assistance (msra.exe) spawning PowerShell.exe or cmd.exe as a child process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where msra.exe is the parent process. This activity is significant because msra.exe typically does not spawn command-line interfaces, indicating potential process injection or misuse. If confirmed malicious, an attacker could use this technique to execute arbitrary commands, escalate privileges, or maintain persistence on the compromised system.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Remote Create Service", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "description": "The following analytic identifies the creation of a new service on a remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new service creation. This activity is significant as it may indicate lateral movement or remote code execution attempts by an attacker. If confirmed malicious, this could allow the attacker to establish persistence, escalate privileges, or execute arbitrary code on the remote system, potentially leading to further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "description": "The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Rdpwinst.exe executed on $dest$.", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "description": "The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"netsh.exe\" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "new firewall rules was added to allow rdp connection to $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Allow Remote Assistance", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "description": "The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Control\\\\Terminal Server\\\\fAllowToGetHelp\" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Remote Services Rdp Enable", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "description": "The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"fDenyTSConnections\" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "the registry for rdp protocol was modified to enable in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Replication Through Removable Media", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "description": "The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "message": "executable or script $file_path$ was dropped in root drive $root_drive$ in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1091"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Root Domain linked policies Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 2, "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "description": "The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"analytic_story": ["Active Directory Discovery", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087.002", "T1087"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d", "description": "The following analytic detects the execution of a suspicious rundll32 command line that updates user-specific system parameters, such as desktop backgrounds, display settings, and visual themes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"user32.dll,UpdatePerUserSystemParameters.\" This activity is significant as it is uncommon for legitimate purposes and has been observed in Rhysida Ransomware for defense evasion. If confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Rhysida Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "Process $process_name$ with cmdline $process$ in host $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1218", "T1218.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,UpdatePerUserSystemParameters*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_apply_user_settings_changes_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_apply_user_settings_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDAV Request", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "description": "The following analytic identifies the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDAV instance. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to exploit CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to execute remote code or exfiltrate data, posing a severe threat to the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "description": "The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Created Via XML", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 3, "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "description": "The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the -create flag and an XML parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["CISA AA23-347A", "Scheduled Tasks", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "author": "Steven Dick", "date": "2024-05-14", "version": 2, "id": "d8120352-3b62-4e3c-8cb6-7b47584dd5e8", "description": "The following analytic detects when the Task Scheduler service (\"svchost.exe -k netsvcs -p -s Schedule\") spawns common command line, scripting, or shell execution binaries such as \"powershell.exe\" or \"cmd.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment.", "references": ["https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", "https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown, possible custom scripting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_service_spawned_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Scheduled Task with Highest Privileges", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "description": "The following analytic detects the creation of a new scheduled task with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is significant as it is commonly used in AsyncRAT attacks for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to maintain persistent access and execute tasks with elevated privileges, potentially leading to unauthorized system access and data breaches.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "CISA AA23-347A", "RedLine Stealer", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053", "T1053.005"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Schtasks Create Run As System", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "41a0e58e-884c-11ec-9976-acde48001122", "description": "The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"analytic_story": ["Qakbot", "Scheduled Tasks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Screen Capture Via Powershell", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "description": "The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1113"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Account Manager Stopped", "author": "Rod Soto, Jose Hernandez, Splunk", "date": "2024-05-20", "version": 3, "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "description": "The following analytic detects the stopping of the Windows Security Account Manager (SAM) service via command-line, typically using the \"net stop samss\" command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because stopping the SAM service can disrupt authentication mechanisms and is often associated with ransomware attacks like Ryuk. If confirmed malicious, this action could lead to unauthorized access, privilege escalation, and potential system-wide compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Security Support Provider Reg Query", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "description": "The following analytic identifies command-line activity querying the registry for Security Support Providers (SSPs) related to Local Security Authority (LSA) protection and configuration. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on processes accessing specific LSA registry paths. Monitoring this activity is crucial as adversaries and post-exploitation tools like winpeas may use it to gather information on LSA protections, potentially leading to credential theft. If confirmed malicious, attackers could exploit this to scrape password hashes or plaintext passwords from memory, significantly compromising system security.", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Sneaky Active Directory Persistence Tricks", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with reg query command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1547.005", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "description": "The following analytic detects the use of GACUtil.exe to add a DLL into the Global Assembly Cache (GAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adding a DLL to the GAC allows it to be called by any application, potentially enabling widespread code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code across the operating system, leading to privilege escalation or persistent access.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1505", "T1505.004"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create Kernel Mode Driver", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "description": "The following analytic identifies the creation of a new kernel mode driver using the sc.exe command. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. The activity is significant because adding a kernel driver is uncommon in regular operations and can indicate an attempt to gain low-level access to the system. If confirmed malicious, this could allow an attacker to execute code with high privileges, potentially compromising the entire system and evading traditional security measures.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"analytic_story": ["CISA AA22-320A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003", "T1543", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Create RemComSvc", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "description": "The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A new service was created related to RemCom on $dest$.", "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Create SliverC2", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "description": "The following analytic detects the creation of a Windows service named \"Sliver\" with the description \"Sliver Implant,\" indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A user mode service was created on $dest$ related to SliverC2.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Create with Tscon", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "description": "The following analytic detects potential RDP Hijacking attempts by identifying the creation of a Windows service using sc.exe with a binary path that includes tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it indicates an attacker may be trying to hijack a disconnected RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker could gain control over an existing user session, leading to potential data theft or further system compromise.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1563.002", "T1563", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Created with Suspicious Service Path", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 5, "id": "429141be-8311-11eb-adb6-acde48001122", "description": "The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "Clop Ransomware", "Flax Typhoon", "PlugX", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImagePath", "type": "File", "role": ["Attacker"]}], "message": "A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1569", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Created Within Public Path", "author": "Mauricio Velazco, Splunk", "date": "2024-05-15", "version": 3, "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "description": "The following analytic detects the creation of a Windows Service with its binary path located in public directories using Windows Event ID 7045. This detection leverages logs from the `wineventlog_system` data source, focusing on the `ImagePath` field to identify services installed outside standard system directories. This activity is significant as it may indicate the installation of a malicious service, often used by adversaries for lateral movement or remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or further compromise the system.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "ServiceName", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service $ServiceName$ with a public path was created on $dest$", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath = \"*.exe\" NOT (ImagePath IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Service Creation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "description": "The following analytic identifies the creation of a Windows Service on a remote endpoint using `sc.exe`. It detects this activity by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include remote paths and service creation commands. This behavior is significant because adversaries often exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Creation Using Registry Entry", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-30", "version": 4, "id": "25212358-948e-11ec-ad47-acde48001122", "description": "The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Brute Ratel C4", "CISA AA23-347A", "PlugX", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was created on a endpoint from $dest$ using a registry entry", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.011"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Deletion In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-14", "version": 2, "id": "daed6823-b51c-4843-a6ad-169708f1323e", "description": "The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"analytic_story": ["Brute Ratel C4", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A service was deleted on $dest$ within the Windows registry.", "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Initiation on Remote Endpoint", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "description": "The following analytic detects the execution of `sc.exe` with command-line arguments used to start a Windows Service on a remote endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because adversaries may exploit the Service Control Manager for lateral movement and remote code execution. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A Windows Service was started on a remote endpoint from $dest", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543", "T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop By Deletion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "description": "The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Via Net and SC Application", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "description": "The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Graceful Wipe Out Attack", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$process$ was executed on $dest$ attempting to stop service.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Service Stop Win Updates", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "description": "The following analytic detects the disabling of Windows Update services, such as \"Update Orchestrator Service for Windows Update,\" \"WaaSMedicSvc,\" and \"Windows Update.\" It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"analytic_story": ["CISA AA23-347A", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Windows update services $service_name$ was being disabled on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SIP Provider Inventory", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "21c5af91-1a4a-4511-8603-64fb41df3fad", "description": "The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.", "references": ["https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "message": "A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`subjectinterfacepackage` Dll=*\\\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`", "how_to_implement": "To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1", "known_false_positives": "False positives are limited as this is a hunting query for inventory.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "subjectinterfacepackage", "definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_provider_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "6ffc7f88-415b-4278-a80d-b957d6539e1a", "description": "The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that \"The digital signature of the object did not verify.\" This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"analytic_story": ["Subvert Trust Controls SIP and Trust Provider Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1553.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventID=81 \"The digital signature of the object did not verify.\" | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sip_winverifytrust_failed_trust_validation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware File Modification Crmlog", "author": "Michael Haag, Splunk", "date": "2024-05-07", "version": 2, "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "description": "The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of ..crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A file related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1027"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "628d9c7c-3242-43b5-9620-7234c080a726", "description": "The following analytic detects the creation of the comadmin.dat file in the %windows%\\system32\\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "description": "The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1112"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Snake Malware Service Create", "author": "Michael Haag, Splunk", "date": "2024-05-13", "version": 2, "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "description": "The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1547.006", "T1569.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SOAPHound Binary Execution", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "8e53f839-e127-4d6d-a54d-a2f67044a57f", "description": "The following analytic detects the execution of the SOAPHound binary (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and other process-related metadata. This activity is significant because SOAPHound is a known tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could allow an attacker to extract sensitive information, escalate privileges, or persist within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "tags": {"analytic_story": ["Windows Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The process $process_name$ was executed on $dest$ related to SOAPHound.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"soaphound.exe\" OR Processes.original_file_name=\"soaphound.exe\" AND Processes.process IN (\"*--buildcache *\", \"*--bhdump *\", \"*--certdump *\", \"*--dnsdump *\", \"*-c *\", \"*--cachefilename *\", \"*-o *\", \"*--outputdirectory *\") by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_path Processes.process_integrity_level Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_soaphound_binary_execution_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_soaphound_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 3, "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "description": "The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise.", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "description": "The following analytic detects OneNote spawning `mshta.exe`, a behavior often associated with spearphishing attacks. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where OneNote is the parent process. This activity is significant as it is commonly used by malware families like TA551, AsyncRat, Redline, and DCRAT to execute malicious scripts. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"analytic_story": ["AsyncRAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1566.001", "T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "No false positives known. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "author": "Mauricio Velazco, Splunk", "date": "2024-05-24", "version": 3, "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "description": "The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "message": "A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1087", "T1021.002", "T1135"], "mitre_attack_enrichments": []}, "type": "TTP", "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as dest values(PrivilegeList) as privileges by _time, Caller_User_Name | rename Caller_User_Name as user| where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows SQL Spawning CertUtil", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "dfc18a5a-946e-44ee-a373-c0f60d06e676", "description": "The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"analytic_story": ["Flax Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_sql_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3", "description": "The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading $ImageLoaded$ was detected on $dest$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1574.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 (Image=\"*\\\\SQLDumper.exe\" OR Image=\"*\\\\SQLWriter.exe\") ImageLoaded=\"*\\\\vcruntime140.dll\" NOT ImageLoaded=\"C:\\\\Windows\\\\System32\\\\*\" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sqlwriter_sqldumper_dll_sideload_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_sqlwriter_sqldumper_dll_sideload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "author": "Steven Dick", "date": "2024-05-11", "version": 3, "id": "cbe761fc-d945-4c8c-a71d-e26d12255d32", "description": "The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 activity by $src_user$ - $flavor_text$", "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4886,4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| fillnull | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | eval flavor_text = case(EventCode==\"4886\",\"A suspicious certificate was requested using request ID: \".'RequestId',EventCode==\"4887\", \"A suspicious certificate was issued using request ID: \".'RequestId'.\". To revoke this certifacte use this request ID or the SSL fingerprint [\".'ssl_hash'.\"]\"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates___esc1_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "author": "Steven Dick", "date": "2024-05-24", "version": 2, "id": "f0306acf-a6ab-437a-bbc6-8628f8d5c97e", "description": "The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf", "https://github.com/ly4k/Certipy#esc1", "https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ssl_hash", "type": "Other", "role": ["Attacker"]}, {"name": "ssl_serial", "type": "Other", "role": ["Attacker"]}], "message": "Possible AD CS ESC1 authentication on $dest$", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1649", "T1550"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.", "known_false_positives": "False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates___esc1_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "description": "The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was issued to $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "description": "The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A certificate was requested by $dest$.", "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "author": "Michael Haag, Splunk", "date": "2024-05-04", "version": 2, "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "description": "The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "description": "The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "description": "The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 2, "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "description": "The following analytic detects the use of the PowerShell cmdlet 'export-certificate' executed via the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. Exporting certificates is significant as it may indicate credential theft or preparation for man-in-the-middle attacks. If confirmed malicious, this activity could allow an attacker to impersonate users, decrypt sensitive communications, or gain unauthorized access to systems and data.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "description": "The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` on the command line, indicating an attempt to export a certificate from the local Windows Certificate Store. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an attempt to exfiltrate authentication certificates, which can be used to impersonate users or decrypt sensitive data. If confirmed malicious, this could lead to unauthorized access and potential data breaches.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1649"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "description": "The following analytic identifies the execution of the Windows OS tool klist.exe, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process details. Monitoring klist.exe is significant as it can indicate attempts to list or gather cached Kerberos tickets, which are crucial for lateral movement or privilege escalation. If confirmed malicious, this activity could enable attackers to move laterally within the network or escalate privileges, posing a severe security risk.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process klist.exe executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1558"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Suspect Process With Authentication Traffic", "author": "Steven Dick", "date": "2024-05-15", "version": 2, "id": "953322db-128a-4ce9-8e89-56e039e33d98", "description": "The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1087", "T1087.002", "T1204", "T1204.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", "how_to_implement": "To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.", "known_false_positives": "Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.", "datamodel": ["Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_suspect_process_with_authentication_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "description": "The following analytic detects the use of the decompile parameter with the HTML Help application (HH.exe). This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions involving the decompile parameter. This activity is significant because it is an uncommon command and has been associated with APT41 campaigns, where it was used to unpack HTML help files for further malicious actions. If confirmed malicious, this technique could allow attackers to execute arbitrary commands, potentially leading to further compromise and persistence within the environment.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"analytic_story": ["Living Off The Land", "Suspicious Compiled HTML Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1218.001", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using ldap Nslookup", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "description": "The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System nslookup domain discovery on $dest$", "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Discovery Using Qwinsta", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "description": "The following analytic detects the execution of \"qwinsta.exe\" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The \"qwinsta.exe\" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "System qwinsta domain discovery on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System File on Disk", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "description": "The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"analytic_story": ["CISA AA22-264A", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A new driver is present on $dest$.", "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System LogOff Commandline", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "description": "The following analytic detects the execution of the Windows command line to log off a host machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes involving `shutdown.exe` with specific parameters. This activity is significant as it is often associated with Advanced Persistent Threats (APTs) and Remote Access Trojans (RATs) like dcrat, which use this technique to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /l*\", \"* -l*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Config Discovery Display DNS", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "description": "The following analytic identifies the execution of the \"ipconfig /displaydns\" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1016"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Network Connections Discovery Netsh", "author": "Teoderick Contreras, Splunk", "date": "2024-05-17", "version": 2, "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "description": "The following analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as netsh.exe can be used by adversaries to bypass firewall rules or discover firewall settings. If confirmed malicious, this activity could allow attackers to manipulate firewall configurations, potentially leading to unauthorized network access or data exfiltration.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Snake Keylogger", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "netsh process with command line $process$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1049"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this tool for auditing process.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Reboot CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "description": "The following analytic identifies the execution of the Windows command line to reboot a host machine using \"shutdown.exe\" with specific parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it is often associated with advanced persistent threats (APTs) and remote access trojans (RATs) like dcrat, which may use system reboots to disrupt operations, aid in system destruction, or inhibit recovery. If confirmed malicious, this could lead to system downtime, data loss, or hindered incident response efforts.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process IN (\"* /r*\", \"* -r*\") Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "description": "The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1216", "T1218"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Shutdown CommandLine", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 3, "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "description": "The following analytic identifies the execution of the Windows shutdown command via the command line interface. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because attackers may use the shutdown command to erase tracks, cause disruption, or ensure changes take effect after installing backdoors. If confirmed malicious, this activity could lead to system downtime, denial of service, or evasion of security tools, impacting the overall security posture of the network.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT", "DarkGate Malware", "NjRAT", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1529"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" AND Processes.process IN(\"* /s*\", \"* -s*\") AND Processes.process IN (\"* /t*\",\"* -t*\",\"* /f*\",\"* -f*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System Time Discovery W32tm Delay", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "description": "The following analytic identifies the use of the w32tm.exe utility with the /stripchart function, which is indicative of DCRat malware delaying its payload execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line arguments used by w32tm.exe. This activity is significant as it may indicate an attempt to evade detection by delaying malicious actions such as C2 communication and beaconing. If confirmed malicious, this behavior could allow an attacker to maintain persistence and execute further malicious activities undetected.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1124"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Discovery Via Quser", "author": "Teoderick Contreras, Splunk", "date": "2024-05-20", "version": 2, "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "description": "The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "execution of process $process_name$ in $dest$", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows System User Privilege Discovery", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "8c9a06bc-9939-4425-9bb9-be2371f7fb7e", "description": "The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"analytic_story": ["CISA AA23-347A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Activity related to system user privilege discovery detected on $dest$ using whoami.exe.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1033"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"whoami.exe\" Processes.process= \"*/priv*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_privilege_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_system_user_privilege_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Terminating Lsass Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-23", "version": 2, "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "description": "The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, dest | rename dest as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion", "author": "Teoderick Contreras, Splunk", "date": "2024-05-24", "version": 2, "id": "34502357-deb1-499a-8261-ffe144abf561", "description": "The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"ping 0 -n\". This behavior is significant as it is commonly used by malware like NJRAT to introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"analytic_story": ["NjRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ did a suspicious ping to invalid IP address on $dest$", "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497", "T1497.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"ping.exe\" Processes.parent_process = \"* ping 0 -n *\" OR Processes.process = \"* ping 0 -n *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Time Based Evasion via Choice Exec", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "d5f54b38-10bf-4b3a-b6fc-85949862ed50", "description": "The following analytic detects the use of choice.exe in batch files as a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential time-based evasion techniques used by malware to avoid detection. If confirmed malicious, this behavior could allow attackers to execute code stealthily, delete malicious files, and persist on compromised hosts, making it crucial for SOC analysts to investigate promptly.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A $process_name$ has a choice time delay commandline on $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1497.003", "T1497"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = \"*/T*\" Processes.process = \"*/N*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_via_choice_exec_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "administrator may use choice.exe to allow user to choose from and indexes of choices from a batch script.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_time_based_evasion_via_choice_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "author": "Steven Dick", "date": "2024-05-22", "version": 2, "id": "453a6b0f-b0ea-48fa-9cf4-20537ffdd22c", "description": "The following analytic detects when an executable known for User Account Control (UAC) bypass exploitation spawns a child process in a user-controlled location or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on high or system integrity level processes with specific parent-child process relationships. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, this could allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1548", "T1548.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.parent_process_name IN (`uacbypass_process_name`) AND (Processes.process_name IN (\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\",\"wscript\",\"cscript.exe\",\"bash.exe\",\"werfault.exe\") OR Processes.process IN (\"*\\\\\\\\*\",\"*\\\\Users\\\\*\",\"*\\\\ProgramData\\\\*\",\"*\\\\Temp\\\\*\")) by Processes.dest, Processes.user, Processes.parent_process_guid, Processes.parent_process, Processes.parent_process_name Processes.process_name Processes.process, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "00d050d3-a5b4-4565-a6a5-a31f69681dc3", "description": "The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.", "references": ["https://attack.mitre.org/techniques/T1548/002/", "https://atomicredteam.io/defense-evasion/T1548.002/", "https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Attacker"]}], "message": "A UAC bypass behavior was detected by parent process name- $parent_process_name$ on host $dest$ by $user$.", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548", "T1548.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"low\",\"medium\") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | eval original_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0) | rename process_guid as join_guid_1, process* as parent_process* | join max=0 dest join_guid_1 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.process_integrity_level IN (\"high\",\"system\") AND Processes.process_name IN (`uacbypass_process_name`) by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process_guid | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_1, process_guid as join_guid_2, process_name as uac_process_name ] | join max=0 dest join_guid_2 [| tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (`uacbypass_process_name`) AND Processes.process_integrity_level IN (\"high\",\"system\") by Processes.dest, Processes.parent_process_guid, Processes.process_name, Processes.process, Processes.process_guid, Processes.process_path, Processes.process_integrity_level, Processes.process_current_directory | `drop_dm_object_name(Processes)` | rename parent_process_guid as join_guid_2 | eval elevated_integrity_level = CASE(match(process_integrity_level,\"low\"),1,match(process_integrity_level,\"medium\"),2,match(process_integrity_level,\"high\"),3,match(process_integrity_level,\"system\"),4,true(),0)] | where elevated_integrity_level > original_integrity_level | table dest user parent_process parent_process_name parent_process_integrity_level process_integrity_level process process_name uac_process_name count firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_escalation_behavior_filter`", "how_to_implement": "Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data.", "known_false_positives": "Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "uacbypass_process_name", "definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation."}, {"name": "windows_uac_bypass_suspicious_escalation_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "author": "Teoderick Contreras, Splunk", "date": "2024-05-22", "version": 2, "id": "36334123-077d-47a2-b70c-6c7b3cc85049", "description": "The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/choice", "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"], "tags": {"analytic_story": ["Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A suspicious process $process_name$ accessing outlook credentials registry on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1552"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676*\", \"*\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676*\") AND process_name != *\\\\outlook.exe | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsecured_outlook_credentials_access_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "third party software may access this outlook registry.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_unsecured_outlook_credentials_access_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-31", "version": 2, "id": "5a83ce44-8e0f-4786-a775-8249a525c879", "description": "The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\\windows\\system32 or c:\\windows\\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.", "references": ["https://asec.ahnlab.com/en/17692/", "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer."], "tags": {"analytic_story": ["NjRAT", "Warzone RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Signed=false OriginalFileName = \"-\" SignatureStatus=\"unavailable\" ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "author": "Teoderick Contreras, Splunk", "date": "2024-06-07", "version": 1, "id": "3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f", "description": "This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", "references": ["https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html", "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "tags": {"analytic_story": ["DarkGate Malware", "PlugX"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An unsigned dll module was loaded on $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1574"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) NOT (ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"c:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_dll_side_loading_in_same_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "author": "Teoderick Contreras, Splunk", "date": "2024-05-27", "version": 2, "id": "8d9e0e06-ba71-4dc5-be16-c1a46d58728c", "description": "The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "tags": {"analytic_story": ["APT29 Diplomatic Deceptions with WINELOADER"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Image", "type": "File Name", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.", "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1574.002", "T1547"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=7 Company=\"Microsoft Corporation\" Signed=false SignatureStatus != Valid NOT (Image IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) NOT (ImageLoaded IN(\"C:\\\\Windows\\\\System32\\\\*\", \"C:\\\\Windows\\\\SysWow64\\\\*\", \"C:\\\\Program Files*\")) | rex field=Image \"(?.+\\\\\\)\" | rex field=ImageLoaded \"(?.+\\\\\\)\" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`", "how_to_implement": "The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives.", "known_false_positives": "False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unsigned_ms_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-25", "version": 2, "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-31", "version": 2, "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-19", "version": 2, "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "description": "The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential NTLM based password spraying attack from $src$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | rename Workstation as src |`windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "author": "Mauricio Velazco, Splunk", "date": "2024-05-14", "version": 2, "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as user by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "author": "Mauricio Velazco, Splunk", "date": "2024-05-28", "version": 2, "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "author": "Mauricio Velazco, Splunk", "date": "2024-05-21", "version": 2, "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "description": "The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Attacker"]}], "message": "Potential password spraying attack from $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as user by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "description": "The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential NTLM based password spraying attack from $Workstation$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "author": "Mauricio Velazco, Splunk", "date": "2024-05-18", "version": 2, "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "message": "Potential password spraying attack on $Computer$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1110.003", "T1110"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "description": "The following analytic detects the creation of suspicious URL shortcut link files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify .url files created outside standard directories, such as Program Files. This activity is significant as it may indicate an attempt to execute malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"analytic_story": ["Chaos Ransomware", "NjRAT", "Snake Keylogger"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "a process created URL shortcut file in $file_path$ of $dest$", "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1204.002", "T1204"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Valid Account With Never Expires Password", "author": "Teoderick Contreras, Splunk", "date": "2024-05-28", "version": 2, "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "description": "The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving \"/maxpwage:unlimited\". This activity is significant as it can indicate an attempt to maintain persistence, escalate privileges, evade defenses, or facilitate lateral movement. If confirmed malicious, this behavior could allow an attacker to maintain long-term access to compromised accounts, potentially leading to further exploitation and unauthorized access to sensitive information.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1489"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable 3CX Software", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "f2cc1584-46ee-485b-b905-977c067f36de", "description": "The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1195.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Vulnerable Driver Installed", "author": "Dean Luxton", "date": "2023-09-27", "version": 1, "id": "1dda7586-57be-4a1b-8de1-a9ad802b9a7f", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.", "references": ["https://loldrivers.io/", "https://github.com/SpikySabra/Kernel-Cactus", "https://github.com/wavestone-cdt/EDRSandblast", "https://research.splunk.com/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/", "https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html"], "tags": {"analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potentially vulnerable/malicious driver ($driver_name$) has been installed on $dest$", "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1543.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`", "how_to_implement": "Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "windows_vulnerable_driver_installed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows Vulnerable Driver Loaded", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "description": "The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"analytic_story": ["BlackByte Ransomware", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1543.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "fields_list": null}]}, {"name": "Windows WinDBG Spawning AutoIt3", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "7aec015b-cd69-46c3-85ed-dac152056aa4", "description": "The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child process. This activity is significant because AutoIt3 is frequently used by threat actors for scripting malicious automation, potentially indicating an ongoing attack. If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary code, and further compromise the system, leading to data exfiltration or additional malware deployment.", "references": ["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt"], "tags": {"analytic_story": ["DarkGate Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.", "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN (\"autoit3.exe\", \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.original_file_name, Processes.process, Processes.process_id, Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, \"\\\\.(au3|a3x|exe|aut|aup)$\"), \"Yes\", \"No\") | search matches_extension=\"Yes\" | `windows_windbg_spawning_autoit3_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_windbg_spawning_autoit3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WinLogon with Public Network Connection", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 3, "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "description": "The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1542.003"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/8,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "datamodel": ["Endpoint", "Network_Traffic"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Impersonate Token", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 2, "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "description": "The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process And Service List", "author": "Teoderick Contreras, Splunk", "date": "2024-05-21", "version": 2, "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "description": "The following analytic identifies suspicious WMI command lines querying for running processes or services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process and command-line events. This activity is significant as adversaries often use WMI to gather system information and identify services on compromised machines. If confirmed malicious, this behavior could allow attackers to map out the system, identify critical services, and plan further attacks, potentially leading to privilege escalation or persistence within the environment.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"analytic_story": ["Prestige Ransomware", "Windows Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "wmi command $process$ to list processes and services in $dest$", "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows WMI Process Call Create", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 2, "id": "0661c2de-93de-11ec-9833-acde48001122", "description": "The following analytic detects the execution of WMI command lines used to create or execute processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line events that include specific keywords like \"process,\" \"call,\" and \"create.\" This activity is significant because adversaries often use WMI to execute malicious payloads on local or remote hosts, potentially bypassing traditional security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"analytic_story": ["CISA AA23-347A", "IcedID", "Qakbot", "Suspicious WMI Use", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "process with $process$ commandline executed in $dest$", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 4, "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "description": "The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"analytic_story": ["CISA AA22-257A", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$ by the following command: $TaskContent$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 4, "id": "5d9c6eee-988c-11eb-8253-acde48001122", "description": "The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"analytic_story": ["Active Directory Lateral Movement", "AsyncRAT", "CISA AA22-257A", "CISA AA23-347A", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Ransomware", "Ryuk Ransomware", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "A windows scheduled task was created (task name=$TaskName$) on $dest$", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1053.005", "T1053"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wineventlog_security` EventCode=4698 TaskContent IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "b3632472-310b-11ec-9aab-acde48001122", "description": "The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Amadey", "AsyncRAT", "CISA AA22-257A", "DarkCrystal RAT", "Data Destruction", "IcedID", "Industroyer2", "Prestige Ransomware", "Qakbot", "Sandworm Tools", "Scheduled Tasks", "Windows Persistence Techniques", "Winter Vivern", "Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A Scheduled Task was scheduled and ran on $dest$.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1053.005"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "wineventlog_task_scheduler", "definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Winhlp32 Spawning a Process", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "description": "The following analytic detects winhlp32.exe spawning a child process that loads a file from appdata, programdata, or temp directories. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because winhlp32.exe has known vulnerabilities and can be exploited to execute malicious code. If confirmed malicious, an attacker could use this technique to execute arbitrary scripts, escalate privileges, or maintain persistence within the environment. Analysts should review parallel processes, module loads, and file modifications for further suspicious behavior.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1055"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRAR Spawning Shell Application", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 2, "id": "d2f36034-37fa-4bd4-8801-26807c15540f", "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, such as \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because it may indicate exploitation of the WinRAR CVE-2023-38831 vulnerability, where malicious scripts are executed from spoofed ZIP archives. If confirmed malicious, this could lead to unauthorized access, financial loss, and further malicious activities like data theft or ransomware attacks.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc", "https://github.com/b1tg/CVE-2023-38831-winrar-exploit"], "tags": {"analytic_story": ["WinRAR Spoofing Attack CVE-2023-38831"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1105"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN (\"certutil.exe\",\"mshta.exe\",\"bitsadmin.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winrar_spawning_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WinRM Spawning a Process", "author": "Drew Church, Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "a081836a-ba4d-11eb-8593-acde48001122", "description": "The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"analytic_story": ["CISA AA23-347A", "Rhysida Ransomware", "Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Cmd", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 3, "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious attachments execute commands via cmd.exe. If confirmed malicious, this could allow an attacker to execute arbitrary commands, potentially leading to further system compromise, data exfiltration, or lateral movement within the network.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning PowerShell", "author": "Michael Haag, Splunk", "date": "2024-05-10", "version": 3, "id": "b2c950b8-9be2-11eb-8658-acde48001122", "description": "The following analytic identifies instances where Microsoft Word (winword.exe) spawns a PowerShell process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious documents execute encoded PowerShell commands. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "DarkCrystal RAT", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Winword Spawning Windows Script Host", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "description": "The following analytic identifies instances where Microsoft Winword.exe spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is Winword.exe. This activity is significant because it is uncommon and often associated with spearphishing attacks, where malicious scripts are executed via document macros. If confirmed malicious, this could lead to code execution, allowing attackers to gain initial access, execute further payloads, or establish persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"analytic_story": ["CVE-2023-21716 Word RTF Heap Corruption", "Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1566", "T1566.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-26", "version": 2, "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "description": "The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected \"NTEventLogEventConsumer.\" This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "author": "Rico Valdez, Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "description": "The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "WMI Permanent Event Subscription detected on $dest$ by $user$", "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1546.003", "T1546"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Recon Running Process Or Services", "author": "Teoderick Contreras, Splunk", "date": "2024-05-15", "version": 4, "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Suspicious powerShell script execution by $user$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1592"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "datamodel": [], "source": "endpoint", "nes_fields": null, "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMI Temporary Event Subscription", "author": "Rico Valdez, Splunk", "date": "2024-05-12", "version": 2, "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "description": "The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.", "references": [], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic Group Discovery", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "83317b08-155b-11ec-8e00-acde48001122", "description": "The following analytic identifies the use of `wmic.exe` to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs, including command-line details. Monitoring this activity is significant as it can indicate reconnaissance efforts by an attacker to understand group memberships, which could be a precursor to privilege escalation or lateral movement. If confirmed malicious, this activity could allow an attacker to map out privileged groups, aiding in further exploitation and persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "Local group discovery on $dest$ by $user$.", "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1069", "T1069.001"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmic NonInteractive App Uninstallation", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "description": "The following analytic identifies the use of the WMIC command-line tool attempting to uninstall applications non-interactively. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with WMIC. This activity is significant because it is uncommon and may indicate an attempt to evade detection by uninstalling security software, as seen in IcedID malware campaigns. If confirmed malicious, this behavior could allow an attacker to disable security defenses, facilitating further compromise and persistence within the environment.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"analytic_story": ["Azorult", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1562.001", "T1562"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WMIC XSL Execution via URL", "author": "Michael Haag, Splunk", "date": "2024-05-27", "version": 2, "id": "787e9dd0-4328-11ec-a029-acde48001122", "description": "The following analytic detects `wmic.exe` loading a remote XSL script via a URL. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT switch. This activity is significant as it indicates a potential application control bypass, allowing adversaries to execute JScript or VBScript within an XSL file. If confirmed malicious, this technique can enable attackers to execute arbitrary code, escalate privileges, or maintain persistence using a trusted Windows tool, posing a severe threat to the environment.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1220"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-10", "version": 2, "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "description": "The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where `wmiprvse.exe` is the parent process and the child process is a known LOLBAS binary. This activity is significant as it may indicate lateral movement or remote code execution by an adversary abusing Windows Management Instrumentation (WMI). If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1047"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "author": "Teoderick Contreras, Splunk", "date": "2024-05-18", "version": 2, "id": "1f35e1da-267b-11ec-90a9-acde48001122", "description": "The following analytic identifies suspicious child processes spawned by WScript or CScript. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific parent and child process names. This activity is significant as adversaries often use WScript or CScript to execute Living Off The Land Binaries (LOLBINs) or other scripts like PowerShell for defense evasion. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"analytic_story": ["Data Destruction", "FIN7", "NjRAT", "Remcos", "Unusual Processes", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1055", "T1543", "T1134.004", "T1134"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "author": "Mauricio Velazco, Splunk", "date": "2024-05-12", "version": 2, "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. It leverages Endpoint Detection and Response (EDR) data to detect when `Wsmprovhost.exe` spawns child processes that are known LOLBAS (Living Off the Land Binaries and Scripts) executables. This activity is significant because it may indicate an adversary using Windows Remote Management (WinRM) to execute code on remote endpoints, a common technique for lateral movement. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1021", "T1021.006"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WSReset UAC Bypass", "author": "Steven Dick, Teoderick Contreras, Splunk", "date": "2024-05-19", "version": 4, "id": "8b5901bc-da63-11eb-be43-acde48001122", "description": "The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise.", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_id": ["T1548.002", "T1548"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XMRIG Driver Loaded", "author": "Teoderick Contreras, Splunk", "date": "2024-05-06", "version": 2, "id": "90080fa6-a8df-11eb-91e4-acde48001122", "description": "The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"analytic_story": ["CISA AA22-320A", "XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$", "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": ["T1543.003", "T1543"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "datamodel": [], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "XSL Script Execution With WMIC", "author": "Teoderick Contreras, Splunk", "date": "2024-05-13", "version": 2, "id": "004e32e2-146d-11ec-a83f-acde48001122", "description": "The following analytic detects the execution of an XSL script using the WMIC process, which is often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving WMIC and XSL files. This behavior is significant as it has been associated with the FIN7 group, known for using this technique to execute malicious scripts. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to system compromise and further malicious actions within the environment.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1220"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "unknown", "datamodel": ["Endpoint"], "source": "endpoint", "nes_fields": "user,dest", "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Detect ARP Poisoning", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "b44bebd6-bd39-467b-9321-73971bcd1aac", "description": "The following analytic detects ARP Poisoning attacks by monitoring for Dynamic ARP Inspection (DAI) errors on Cisco network devices. It leverages logs from Cisco devices, specifically looking for events where the ARP inspection feature has disabled an interface due to suspicious activity. This activity is significant because ARP Poisoning can allow attackers to intercept, modify, or disrupt network traffic, leading to potential data breaches or denial of service. If confirmed malicious, this could enable attackers to perform man-in-the-middle attacks, compromising the integrity and confidentiality of network communications.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-29", "version": 2, "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "description": "The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Exfiltration", "Dynamic DNS", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "domain", "type": "URL String", "role": ["Attacker"]}], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1568.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU. * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-22", "version": 2, "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "description": "The following analytic identifies potential DNS data exfiltration using a pre-trained deep learning model. It leverages DNS request data from the Network Resolution datamodel and computes features from past events between the same source and domain. The model generates a probability score (pred_is_exfiltration_proba) indicating the likelihood of data exfiltration. This activity is significant as DNS tunneling can be used by attackers to covertly exfiltrate sensitive data. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising the organization's security posture.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n * Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\n * Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab\n* Save the notebook using the save option in jupyter notebook.\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect hosts connecting to dynamic domain providers", "author": "Bhavin Patel, Splunk", "date": "2024-05-18", "version": 4, "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "description": "The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Data Protection", "Dynamic DNS", "Prohibited Traffic Allowed or Protocol Mismatch", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1189"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-12", "version": 2, "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "description": "The following analytic detects IPv6 network infrastructure threats by identifying suspicious activities such as IP and MAC address theft or packet drops. It leverages logs from Cisco network devices configured with First Hop Security measures like RA Guard and DHCP Guard. This activity is significant as it can indicate attempts to compromise network integrity and security. If confirmed malicious, attackers could manipulate network traffic, leading to potential data interception, unauthorized access, or network disruption.", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Large Outbound ICMP Packets", "author": "Rico Valdez, Splunk", "date": "2024-05-24", "version": 3, "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "description": "The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network.", "references": [], "tags": {"analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1095"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Outbound LDAP Traffic", "author": "Bhavin Patel, Johan Bjerke, Splunk", "date": "2024-05-21", "version": 2, "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "description": "The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1059"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Outbound SMB Traffic", "author": "Bhavin Patel, Stuart Hopkins, Patrick Bareiss", "date": "2024-05-25", "version": 5, "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "description": "The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Hidden Cobra Malware", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.002", "T1071"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | eval match=case( cidrmatch(\"10.0.0.0/8\" ,dest_ip) ,\"1\", cidrmatch(\"172.16.0.0/12\" ,dest_ip) ,\"1\", cidrmatch(\"192.168.0.0/16\" ,dest_ip) ,\"1\", cidrmatch(\"100.64.0.0/10\" ,dest_ip) ,\"1\", 1=1,\"0\") | search match=0 | fields - match | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Port Security Violation", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-13", "version": 2, "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "description": "The following analytic detects port security violations on Cisco switches. It leverages logs from Cisco network devices, specifically looking for events with mnemonics indicating port security violations. This activity is significant because it indicates an unauthorized device attempting to connect to a secured port, potentially bypassing network access controls. If confirmed malicious, this could allow an attacker to gain unauthorized access to the network, leading to data exfiltration, network disruption, or further lateral movement within the environment.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Remote Access Software Usage DNS", "author": "Steven Dick", "date": "2024-05-27", "version": 2, "id": "a16b797d-e309-41bd-8ba0-5067dae2e4be", "description": "The following analytic detects DNS queries to known remote access software domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution data model and cross-references them with a lookup table of remote access software domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use remote access tools to maintain persistent access to compromised systems. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further infiltrate the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $query$ was contacted by $src$.", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`", "how_to_implement": "To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Remote Access Software Usage Traffic", "author": "Steven Dick", "date": "2024-05-29", "version": 2, "id": "885ea672-07ee-475a-879e-60d28aa5dd42", "description": "The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://applipedia.paloaltonetworks.com/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Application traffic for a known remote access software [$signature$] was detected from $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`", "how_to_implement": "The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Detect Rogue DHCP Server", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-28", "version": 2, "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "description": "The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1498", "T1557"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect SNICat SNI Exfiltration", "author": "Shannon Davis, Splunk", "date": "2024-05-21", "version": 2, "id": "82d06410-134c-11eb-adc1-0242ac120002", "description": "The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1041"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Software Download To Network Device", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-20", "version": 2, "id": "cc590c66-f65f-48f2-986a-4797244762f8", "description": "The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1542.005", "T1542"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "date": "2024-05-13", "version": 2, "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "description": "The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"analytic_story": ["Command And Control", "DNS Hijacking", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1568.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\n* Below steps need to be followed inside Jupyter lab.\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\n* Save the notebook using the save option in Jupyter notebook.\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Traffic Mirroring", "author": "Mikael Bjerkeland, Splunk", "date": "2024-05-09", "version": 2, "id": "42b3b753-5925-49c5-9742-36fa40a73990", "description": "The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as \"ETH_SPAN_SESSION_UP\" and \"PKTCAP_START.\" This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network.", "references": [], "tags": {"analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1200", "T1020", "T1498", "T1020.001"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect Unauthorized Assets by MAC address", "author": "Bhavin Patel, Splunk", "date": "2024-05-10", "version": 3, "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "description": "The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.", "references": [], "tags": {"analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "datamodel": ["Network_Sessions"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "babd8d10-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-23", "version": 2, "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "description": "The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.", "references": [], "tags": {"analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1203"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "datamodel": ["Network_Traffic", "Network_Resolution"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Zerologon via Zeek", "author": "Shannon Davis, Splunk", "date": "2024-05-28", "version": 2, "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "description": "The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"analytic_story": ["Detect Zerologon Attack", "Rhysida Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "DNS Query Length Outliers - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-22", "version": 3, "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "description": "The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n * **Label:** DNS Query, **Field:** query\n* **Label:** DNS Query Length, **Field:** query_length\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "DNS Query Length With High Standard Deviation", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 6, "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "description": "The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding twice the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.", "references": [], "tags": {"analytic_story": ["Command And Control", "Hidden Cobra Malware", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.record_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Excessive DNS Failures", "author": "bowesmana, Bhavin Patel, Splunk", "date": "2024-05-20", "version": 4, "id": "104658f4-afdc-499e-9719-17243f9826f1", "description": "The following analytic identifies excessive DNS query failures by counting DNS responses that do not indicate success, triggering when there are more than 50 occurrences. It leverages the Network_Resolution data model, focusing on DNS reply codes that signify errors. This activity is significant because a high number of DNS failures can indicate potential network misconfigurations, DNS poisoning attempts, or malware communication issues. If confirmed malicious, this activity could lead to disrupted network services, hindered communication, or data exfiltration attempts by attackers.", "references": [], "tags": {"analytic_story": ["Command And Control", "Suspicious DNS Traffic"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Excessive DNS failures detected on $src$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1071.004", "T1071"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "description": "The following analytic detects attempts to exploit the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388) for unauthenticated remote code execution. It identifies suspicious URI paths and POST HTTP methods, along with specific request headers containing potential commands in the `utilcmdargs` field and a random base64 encoded value in the `X-F5-Auth-Token` field. This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary commands on the affected system. If confirmed malicious, this could lead to full system compromise and unauthorized access to sensitive data.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "High Volume of Bytes Out to Url", "author": "Bhavin Patel, Splunk", "date": "2024-05-24", "version": 2, "id": "c8a6b56d-16dd-4e9c-b4bd-527742ead98d", "description": "The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.", "references": ["https://attack.mitre.org/techniques/T1567/", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/"], "tags": {"analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$.", "risk_score": 9, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1567"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype | search sum_bytes_out > 1070000000 | `drop_dm_object_name(\"Web\")`| `high_volume_of_bytes_out_to_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.", "known_false_positives": "This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.", "datamodel": ["Web"], "source": "network", "nes_fields": null, "macros": [{"name": "high_volume_of_bytes_out_to_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Hosts receiving high volume of network traffic from email server", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 3, "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "description": "The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.", "references": [], "tags": {"analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1114.002", "T1114"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Internal Horizontal Port Scan", "author": "Dean Luxton", "date": "2023-10-20", "version": 1, "id": "1ff9eb9a-7d72-4993-a55e-59a839e607f1", "description": "This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.", "references": [], "tags": {"analytic_story": ["Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Hostname", "role": ["Victim"]}], "message": "$src_ip$ has scanned for port $dest_port$ across $totalDestIPCount$ destination IPs", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\") by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name(\"All_Traffic\")` | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | where totalDestIPCount>=250 | eval dest_port=transport + \"/\" + dest_port | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`", "how_to_implement": "To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.", "known_false_positives": "Unknown", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "internal_horizontal_port_scan_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Internal Vertical Port Scan", "author": "Dean Luxton", "date": "2023-10-20", "version": 1, "id": "40d2dc41-9bbf-421a-a34b-8611271a6770", "description": "This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges, focusing on potential reconnaissance or scanning activities. Monitoring network traffic logs allows for timely detection and response to such behavior, enhancing network security by identifying and mitigating potential threats promptly.", "references": [], "tags": {"analytic_story": ["Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "Hostname", "role": ["Victim"]}], "message": "$src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1046"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\") by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | `drop_dm_object_name(\"All_Traffic\")` | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport=\"tcp\",dest_port,null))) as privilegedDestTcpPortCount dc(eval(if(transport=\"tcp\",dest_port,null))) as totalDestTcpPortCount dc(eval(if(dest_port<1024 AND transport=\"udp\",dest_port,null))) as privilegedDestUdpPortCount dc(eval(if(transport=\"udp\",dest_port,null))) as totalDestUdpPortCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`", "how_to_implement": "To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.", "known_false_positives": "Unknown", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "internal_vertical_port_scan_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Internal Vulnerability Scan", "author": "Dean Luxton", "date": "2023-10-27", "version": 1, "id": "46f946ed-1c78-4e96-9906-c7a4be15e39b", "description": "This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits.", "references": [], "tags": {"analytic_story": ["Network Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "Large volume of IDS signatures triggered by $src$", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1595.002", "T1046"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name(\"IDS_Attacks\")` | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity src | eventstats count as sigCount by signature src | eval severity=severity +\"(\"+sevCount+\")\" | eval signature=signature +\"(\"+sigCount+\")\" | eval dest_port=transport + \"/\" + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 | `internal_vulnerability_scan_filter`", "how_to_implement": "For this detection to function effectively, it is essential to ingest IDS/IPS logs that are mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry and contextual information needed to accurately identify and analyze potential threats.", "known_false_positives": "Internal vulnerability scanners will trigger this detection.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "internal_vulnerability_scan_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Large Volume of DNS ANY Queries", "author": "Bhavin Patel, Splunk", "date": "2024-05-15", "version": 2, "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "description": "The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type \"ANY\" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.", "references": [], "tags": {"analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1498", "T1498.002"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Multiple Archive Files Http Post Traffic", "author": "Teoderick Contreras, Splunk", "date": "2024-05-16", "version": 3, "id": "4477f3ea-a28f-11eb-b762-acde48001122", "description": "The following analytic detects the high-frequency exfiltration of archive files via HTTP POST requests. It leverages HTTP stream logs to identify specific archive file headers within the request body. This activity is significant as it often indicates data exfiltration by APTs or trojan spyware after data collection. If confirmed malicious, this behavior could lead to the unauthorized transfer of sensitive data to an attacker’s command and control server, potentially resulting in severe data breaches and loss of confidential information.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Ngrok Reverse Proxy on Network", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "description": "The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as \"*.ngrok.com\" and \"*.ngrok.io\". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"analytic_story": ["CISA AA22-320A", "Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1572", "T1090", "T1102"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "datamodel": ["Network_Resolution"], "source": "network", "nes_fields": null, "macros": [{"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Plain HTTP POST Exfiltrated Data", "author": "Teoderick Contreras, Splunk", "date": "2024-05-26", "version": 3, "id": "e2b36208-a364-11eb-8909-acde48001122", "description": "The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as \"wermgr.exe\" or \"svchost.exe\". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"analytic_story": ["Command And Control", "Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "A http post $http_method$ sending packet with plain text of information in uri path $uri_path$", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src_ip dest_ip http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "datamodel": [], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Prohibited Network Traffic Allowed", "author": "Rico Valdez, Splunk", "date": "2024-05-11", "version": 3, "id": "ce5a0962-849f-4720-a678-753fe6674479", "description": "The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the \"lookup_interesting_ports\" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Protocol or Port Mismatch", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 3, "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "description": "The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security.", "references": [], "tags": {"analytic_story": ["Command And Control", "Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1048.003", "T1048"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Protocols passing authentication in cleartext", "author": "Rico Valdez, Splunk", "date": "2024-05-29", "version": 4, "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "description": "The following analytic identifies the use of cleartext protocols that risk leaking sensitive information. It detects network traffic on legacy protocols such as Telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21). The detection leverages the Network_Traffic data model to identify TCP traffic on these ports. Monitoring this activity is crucial as it can expose credentials and other sensitive data to interception. If confirmed malicious, attackers could capture authentication details, leading to unauthorized access and potential data breaches.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Network Bruteforce", "author": "Jose Hernandez, Splunk", "date": "2024-05-17", "version": 3, "id": "a98727cc-286b-4ff2-b898-41df64695923", "description": "The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.", "references": [], "tags": {"analytic_story": ["Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "$dest$ may be the target of an RDP Bruteforce", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Remote Desktop Network Traffic", "author": "David Dorsey, Splunk", "date": "2024-05-29", "version": 5, "id": "272b8407-842d-4b3d-bead-a704584003d3", "description": "The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.", "references": [], "tags": {"analytic_story": ["Active Directory Lateral Movement", "Hidden Cobra Malware", "Ryuk Ransomware", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "dest", "type": "IP Address", "role": ["Attacker"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.001", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter`", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "SMB Traffic Spike", "author": "David Dorsey, Splunk", "date": "2024-05-27", "version": 4, "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "description": "The following analytic detects spikes in Server Message Block (SMB) traffic connections, which are used for sharing files and resources between computers. It leverages network traffic logs to monitor connections on ports 139 and 445, and SMB application usage. By calculating the average and standard deviation of SMB connections over the past 70 minutes, it identifies sources exceeding two standard deviations from the average. This activity is significant as it may indicate potential SMB-based attacks, such as ransomware or data theft. If confirmed malicious, attackers could exfiltrate data or spread malware within the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.002", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SMB Traffic Spike - MLTK", "author": "Rico Valdez, Splunk", "date": "2024-05-21", "version": 4, "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "description": "The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.", "references": [], "tags": {"analytic_story": ["DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A", "Hidden Cobra Malware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1021.002", "T1021"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n* **Label:** Number of events, **Field:** count\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Splunk Identified SSL TLS Certificates", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "620fbb89-86fd-4e2e-925f-738374277586", "description": "The following analytic identifies the usage of Splunk default SSL/TLS certificates within the environment. It leverages tags such as SSL, TLS, and certificate to detect these default certificates by examining the ssl_issuer_common_name field. This activity is significant because using default certificates can expose the environment to potential security risks, as they are not unique and can be easily exploited. If confirmed malicious, attackers could intercept or manipulate data, leading to unauthorized access or data breaches. It is recommended to replace default certificates with valid, unique TLS certificates to enhance security.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "message": "The following $host$ is using the self signed Splunk certificate.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1040"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SSL Certificates with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "696694df-5706-495a-81f2-79501fa11b90", "description": "The following analytic detects SSL certificates with Punycode domains in the SSL issuer email domain, identified by the prefix \"xn--\". It leverages the Certificates Datamodel to flag these domains and uses CyberChef for decoding. This activity is significant as Punycode can be used for domain spoofing and phishing attacks. If confirmed malicious, attackers could deceive users and systems, potentially leading to unauthorized access and data breaches.", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1573"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "TOR Traffic", "author": "David Dorsey, Bhavin Patel, Splunk", "date": "2024-05-29", "version": 4, "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "description": "The following analytic identifies allowed network traffic to The Onion Router (TOR), an anonymity network often exploited for malicious activities. It leverages data from Next Generation Firewalls, using the Network_Traffic data model to detect traffic where the application is TOR and the action is allowed. This activity is significant as TOR can be used to bypass conventional monitoring, facilitating hacking, data breaches, and illicit content dissemination. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and severe compliance violations, compromising the integrity and security of the network.", "references": ["https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK", "https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/#:~:text=For%20enterprises%20concerned%20about%20the,the%20most%20important%20security%20risks."], "tags": {"analytic_story": ["Command And Control", "NOBELIUM Group", "Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}], "message": "Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$", "risk_score": 80, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1090", "T1090.003"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated.", "known_false_positives": "None at this time", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Unusually Long Content-Type Length", "author": "Bhavin Patel, Splunk", "date": "2024-05-13", "version": 2, "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "description": "The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.", "references": [], "tags": {"analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Replication Service Traffic", "author": "Steven Dick", "date": "2024-05-19", "version": 2, "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "description": "The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1003", "T1003.006", "T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "datamodel": ["Network_Traffic"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "author": "Dean Luxton", "date": "2024-05-18", "version": 2, "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "description": "The following analytic identifies unauthorized replication RPC calls from non-domain controller devices. It leverages Zeek wire data to detect specific RPC operations like DrsReplicaAdd and DRSGetNCChanges, filtering out legitimate domain controllers. This activity is significant as it may indicate an attempt to introduce a rogue domain controller, which can compromise the integrity of the Active Directory environment. If confirmed malicious, this could allow attackers to manipulate directory data, escalate privileges, and persist within the network, posing a severe security risk.", "references": ["https://adsecurity.org/?p=1729"], "tags": {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1207"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "datamodel": ["Change"], "source": "network", "nes_fields": "user,dest", "macros": [{"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zeek x509 Certificate with Punycode", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "description": "The following analytic detects the presence of punycode within x509 certificates using Zeek x509 logs. It identifies punycode in the subject alternative name email and other fields by searching for the \"xn--\" prefix. This activity is significant as punycode can be used in phishing attacks or to bypass domain filters, posing a security risk. If confirmed malicious, attackers could use these certificates to impersonate legitimate domains, potentially leading to unauthorized access or data breaches.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1573"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "datamodel": [], "source": "network", "nes_fields": null, "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "15838756-f425-43fa-9d88-a7f88063e81a", "description": "The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*\" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Adobe ColdFusion Access Control Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "d6821c0b-fcdc-4c95-a77f-e10752fae41a", "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.", "references": ["https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29298 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"//restplay*\", \"//CFIDE/restplay*\", \"//CFIDE/administrator*\", \"//CFIDE/adminapi*\", \"//CFIDE/main*\", \"//CFIDE/componentutils*\", \"//CFIDE/wizards*\", \"//CFIDE/servermanager*\",\"/restplay*\", \"/CFIDE/restplay*\", \"/CFIDE/administrator*\", \"/CFIDE/adminapi*\", \"/CFIDE/main*\", \"/CFIDE/componentutils*\", \"/CFIDE/wizards*\", \"/CFIDE/servermanager*\") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "adobe_coldfusion_access_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "695aceae-21db-4e7f-93ac-a52e39d02b93", "description": "The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read. It monitors web requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" path using the Web datamodel, focusing on specific ColdFusion paths to differentiate malicious activity from normal traffic. This activity is significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk. If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions, necessitating immediate investigation.", "references": ["https://www.rapid7.com/db/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360/", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26360.yaml"], "tags": {"analytic_story": ["Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-26360 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/cf_scripts/scripts/ajax/ckeditor/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Cisco IOS XE Implant Access", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "07c36cda-6567-43c3-bc1a-89dff61e2cd9", "description": "The following analytic identifies the potential exploitation of a vulnerability (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects suspicious account creation and subsequent actions, including the deployment of a non-persistent implant configuration file. The detection leverages the Web datamodel, focusing on specific URL patterns and HTTP methods. This activity is significant as it indicates unauthorized administrative access, which can lead to full control of the device. If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", "https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner"], "tags": {"analytic_story": ["Cisco IOS XE Software Web Management User Interface vulnerability"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-20198 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/webui/logoutconfirm.html?logon_hash=*\") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "cisco_ios_xe_implant_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b593cac5-dd20-4358-972a-d945fefdaf17", "description": "The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.", "references": ["https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966"], "tags": {"analytic_story": ["Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/oauth/idp/.well-known/openid-configuration*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.", "known_false_positives": "False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ADC Exploitation CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2024-05-25", "version": 3, "id": "76ac2dcb-333c-4a77-8ae9-2720cfae47a8", "description": "The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.", "references": ["https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467", "https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967"], "tags": {"analytic_story": ["Citrix Netscaler ADC CVE-2023-3519"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-3519 against $dest$.", "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\",\"/gwtest/formssso?event=start&target=*\",\"/netscaler/ns_gui/vpn/*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "citrix_adc_exploitation_cve_2023_3519_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "172c59f2-5fae-45e5-8e51-94445143e93f", "description": "The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", and \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.", "references": ["https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"analytic_story": ["Citrix ShareFile RCE CVE-2023-24489"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible expliotation of CVE-2023-24489 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"/documentum/upload.aspx?*\" AND Web.url IN (\"*parentid=*\",\"*filename=*\",\"*uploadId=*\") AND Web.url IN (\"*unzip=*\", \"*raw=*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`", "how_to_implement": "Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.", "known_false_positives": "False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "citrix_sharefile_exploitation_cve_2023_24489_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 3, "id": "630ea8b2-2800-4f5d-9cbc-d65c567349b0", "description": "The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py", "https://x.com/Shadowserver/status/1712378833536741430?s=20", "https://github.com/j3seer/CVE-2023-22515-POC"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*\",\"*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*\") Web.http_method=GET Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_cve_2023_22515_trigger_vulnerability_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_cve_2023_22515_trigger_vulnerability_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 4, "id": "115bebac-0976-4f7d-a3ec-d1fb45a39a11", "description": "The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/", "https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/setup/setupadministrator.action*\", \"*/setup/finishsetup.action*\", \"*/json/setup-restore-local.action*\", \"*/json/setup-restore-progress.action*\", \"*/json/setup-restore.action*\", \"*/bootstrap/selectsetupstep.action*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_data_center_and_server_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "f56936c0-ae6f-4eeb-91ff-ecc1448c6105", "description": "The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the \"/template/aui/text-inline.vm\" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat.", "references": ["https://github.com/cleverg0d/CVE-2023-22527", "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "tags": {"analytic_story": ["Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Application", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/template/aui/text-inline.vm*\" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2024-05-30", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "description": "The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence. It leverages the Web datamodel to analyze network and CIM-compliant web logs, identifying suspicious URL patterns and parameters indicative of exploitation attempts. This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, and further lateral movement within the network. Immediate investigation and remediation are crucial to prevent extensive damage.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134", "Confluence Data Center and Confluence Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 3, "id": "d3f7a803-e802-448b-8eb2-e796b223bfff", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | rex field=Web.url \"/SetupWizard.aspx/(?.+)\" | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "104658f4-afdc-499e-9719-17243f982681", "description": "The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1082", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2024-05-22", "version": 2, "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "description": "The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as \"hsqldb;\" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Detect malicious requests to exploit JBoss servers", "author": "Bhavin Patel, Splunk", "date": "2024-05-19", "version": 2, "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "description": "The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.", "references": [], "tags": {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Detect Remote Access Software Usage URL", "author": "Steven Dick", "date": "2024-05-09", "version": 2, "id": "9296f515-073c-43a5-88ec-eda5a4626654", "description": "The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.", "references": ["https://attack.mitre.org/techniques/T1219/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"analytic_story": ["Command And Control", "Insider Threat", "Ransomware"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url_domain", "type": "Hostname", "role": ["Attacker"]}], "message": "A domain for a known remote access software $url_domain$ was contacted by $src$.", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1219"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"Web\")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_url_filter`", "how_to_implement": "The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.", "known_false_positives": "It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "detect_remote_access_software_usage_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "case_sensitive_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "fields_list": null}]}, {"name": "Exploit Public Facing Application via Apache Commons Text", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 3, "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "description": "The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2024-05-09", "version": 2, "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "description": "The following analytic detects attempts to exploit the Fortinet FortiNAC CVE-2022-39952 vulnerability. It identifies HTTP POST requests to the URI configWizard/keyUpload.jsp with a payload.zip file. The detection leverages the Web datamodel, analyzing fields such as URL, HTTP method, and user agent. This activity is significant as it indicates an attempt to exploit a known vulnerability, potentially leading to remote code execution. If confirmed malicious, attackers could gain control over the affected system, schedule malicious tasks, and establish persistent access via a remote command and control (C2) server.", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "F5 TMUI Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "88bf127c-613e-4579-99e4-c4d4b02f3840", "description": "The following analytic detects attempts to exploit the CVE-2023-46747 vulnerability, an authentication bypass flaw in F5 BIG-IP's Configuration utility (TMUI). It identifies this activity by monitoring for specific URI paths such as \"*/mgmt/tm/auth/user/*\" with the PATCH method and a 200 status code. This behavior is significant for a SOC as it indicates potential unauthorized access attempts, leading to remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, steal data, disrupt systems, or conduct further malicious activities within the network.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"analytic_story": ["F5 Authentication Bypass with TMUI"], "asset_type": "Network", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$.", "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/mgmt/tm/auth/user/*\") Web.http_method=PATCH Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `f5_tmui_authentication_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relevant for traffic into the `Web` datamodel.", "known_false_positives": "False positives should be limited to as this is strict to active exploitation. Reduce noise by filtering to F5 devices with TMUI enabled or filter data as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "f5_tmui_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "description": "The following analytic detects attempts to exploit CVE-2022-40684, a Fortinet appliance authentication bypass vulnerability. It identifies REST API requests to the /api/v2/ endpoint using various HTTP methods (GET, POST, PUT, DELETE) that may indicate unauthorized modifications, such as adding SSH keys or creating new users. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it can lead to unauthorized access and control over the appliance. If confirmed malicious, attackers could gain persistent access, reroute network traffic, or capture sensitive information.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Hunting for Log4Shell", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "description": "The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "message": "Hunting for Log4Shell exploitation has occurred.", "risk_score": 40, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 3, "id": "1f32a7e0-a060-4545-b7de-73fcf9ad536e", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://twitter.com/GreyNoiseIO/status/1747711939466453301"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 90, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN(\"*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*\",\"*/api/v1/totp/user-backup-code/../../license/keys-status/*\") Web.http_method IN (\"POST\", \"GET\") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_command_injection_attempts_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_connect_secure_command_injection_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "author": "Michael Haag, Splunk", "date": "2024-05-29", "version": 2, "id": "8e6ca490-7af3-4299-9a24-39fb69759925", "description": "The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.", "references": ["https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis", "https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2024-21893 against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/dana-ws/saml20.ws*\",\"*/dana-ws/saml.ws*\",\"*/dana-ws/samlecp.ws*\",\"*/dana-na/auth/saml-logout.cgi/*\") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_ssrf_in_saml_component_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_connect_secure_ssrf_in_saml_component_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "d51c13dd-a232-4c83-a2bb-72ab36233c5d", "description": "The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files"], "tags": {"analytic_story": ["Ivanti Connect Secure VPN Vulnerabilities"], "asset_type": "VPN Appliance", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/api/v1/totp/user-backup-code/../../system/system-information*\" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "author": "Michael Haag, Splunk", "date": "2024-05-18", "version": 2, "id": "66b9c9ba-7fb2-4e80-a3a2-496e5e078167", "description": "The following analytic detects attempts to exploit CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. It identifies HTTP requests to the endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a status code of 200 in web logs. This activity is significant as it indicates unauthorized remote access to restricted functionalities or resources. If confirmed malicious, this could lead to data theft, unauthorized modifications, or further system compromise, necessitating immediate action to mitigate potential severe impacts.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "e03edeba-4942-470c-a664-27253f3ad351", "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.", "references": ["https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US", "https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py", "https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/"], "tags": {"analytic_story": ["Ivanti EPMM Remote Unauthenticated Access"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Ivanti Sentry Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8", "description": "The following analytic identifies unauthenticated access attempts to the System Manager Portal in Ivanti Sentry, exploiting CVE-2023-38035. It detects this activity by monitoring HTTP requests to specific endpoints (\"/mics/services/configservice/*\", \"/mics/services/*\", \"/mics/services/MICSLogService*\") with a status code of 200. This behavior is significant for a SOC as it indicates potential unauthorized access, which could lead to OS command execution as root. If confirmed malicious, this activity could result in significant system compromise and data breaches, especially if port 8443 is exposed to the internet.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"analytic_story": ["Ivanti Sentry Authentication Bypass CVE-2023-38035"], "asset_type": "Network", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-38035 against $dest$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.", "known_false_positives": "It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "ivanti_sentry_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Jenkins Arbitrary File Read CVE-2024-23897", "author": "Michael Haag, Splunk", "date": "2024-05-24", "version": 2, "id": "c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1", "description": "The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing \"*/cli?remoting=false*\" with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9025", "https://github.com/jenkinsci-cert/SECURITY-3314-3315", "https://github.com/binganao/CVE-2024-23897", "https://github.com/h4x0r-dz/CVE-2024-23897", "https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/", "https://www.shodan.io/search?query=product%3A%22Jenkins%22", "https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html"], "tags": {"analytic_story": ["Jenkins Server Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"*/cli?remoting=false*\" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jenkins_arbitrary_file_read_cve_2024_23897_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source.", "known_false_positives": "False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jenkins_arbitrary_file_read_cve_2024_23897_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-20", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd4", "description": "The following analytic identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). It detects suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints, which are indicative of attempts to create new administrator users or generate admin access tokens without authentication. This detection leverages the Web datamodel and CIM-compliant log sources, such as Nginx or TeamCity logs. This activity is significant as it can lead to full control over the TeamCity server, including all projects, builds, agents, and artifacts. If confirmed malicious, attackers could gain unauthorized administrative access, leading to severe security breaches.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/", "https://github.com/yoryio/CVE-2024-27198/blob/main/CVE-2024-27198.py"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where ((Web.url=\"*?jsp=*\" AND Web.url=\"*;.jsp*\") Web.status=200 Web.http_method=POST) OR (Web.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") Web.status=200 Web.http_method=POST ) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter`", "how_to_implement": "The detection relies on the Web datamodel and a CIM compliant log source, that may include Nginx, TeamCity logs, or other web server logs.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "fbcc04c7-8a79-453c-b3a9-c232c423bdd3", "description": "The following analytic detects attempts to exploit the CVE-2024-27198 vulnerability in JetBrains TeamCity on-premises servers, which allows attackers to bypass authentication mechanisms. It leverages Suricata HTTP traffic logs to identify suspicious POST requests to the `/app/rest/users` and `/app/rest/users/id:1/tokens` endpoints. This activity is significant because it can lead to unauthorized administrative access, enabling attackers to gain full control over the TeamCity server, including projects, builds, agents, and artifacts. If confirmed malicious, this could result in severe security breaches and compromise the integrity of the development environment.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/9279/files", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` ((http.url=\"*?jsp=*\" AND http.url=\"*;.jsp*\") http.status=200 http_method=POST) OR (http.url IN (\"*jsp=/app/rest/users;.jsp\",\"*?jsp=/app/rest/users;.jsp\",\"*?jsp=.*/app/rest/users/id:*/tokens;*\") http.status=200 http_method=POST ) | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http.http_user_agent, http.url, http.status,http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, as this detection is based on the presence of specific URI paths and HTTP methods that are indicative of the CVE-2024-27198 vulnerability exploitation. Monitor, filter and tune as needed based on organization log sources.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "a1e68dcd-2e24-4434-bd0e-b3d4de139d58", "description": "The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server's security.", "references": ["https://github.com/projectdiscovery/nuclei-templates/blob/f644ec82dfe018890c6aa308967424d26c0f1522/http/cves/2024/CVE-2024-27199.yaml", "https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "tags": {"analytic_story": ["JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`suricata` http.url IN (\"*../admin/diagnostic.jsp*\", \"*../app/https/settings/*\", \"*../app/pipeline*\", \"*../app/oauth/space/createBuild.html*\", \"*../res/*\", \"*../update/*\", \"*../.well-known/acme-challenge/*\", \"*../app/availableRunners*\", \"*../app/https/settings/setPort*\", \"*../app/https/settings/certificateInfo*\", \"*../app/https/settings/defaultHttpsPort*\", \"*../app/https/settings/fetchFromAcme*\", \"*../app/https/settings/removeCertificate*\", \"*../app/https/settings/uploadCertificate*\", \"*../app/https/settings/termsOfService*\", \"*../app/https/settings/triggerAcmeChallenge*\", \"*../app/https/settings/cancelAcmeChallenge*\", \"*../app/https/settings/getAcmeOrder*\", \"*../app/https/settings/setRedirectStrategy*\") http.status=200 http_method=GET | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`", "how_to_implement": "The following detection relies on the Suricata TA and ensuring it is properly configured to monitor HTTP traffic. Modify the query for your environment and log sources as needed.", "known_false_positives": "False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. The analytic is restricted to 200 and GET requests to specific URI paths, which should limit false positives.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suricata", "definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "JetBrains TeamCity RCE Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "89a58e5f-1365-4793-b45c-770abbb32b6c", "description": "The following analytic detects attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises. It identifies suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, leveraging the Web datamodel to monitor specific URL patterns and HTTP methods. This activity is significant as it may indicate an unauthenticated attacker attempting to gain administrative access via Remote Code Execution (RCE). If confirmed malicious, this could allow the attacker to execute arbitrary code, potentially compromising the entire TeamCity environment and leading to further unauthorized access and data breaches.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"analytic_story": ["CISA AA23-347A", "JetBrains TeamCity Unauthenticated RCE", "JetBrains TeamCity Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/app/rest/users/id:1/tokens/RPC2*\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jetbrains_teamcity_rce_attempt_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "jetbrains_teamcity_rce_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Juniper Networks Remote Code Execution Exploit Detection", "author": "Michael Haag, Splunk", "date": "2024-05-14", "version": 2, "id": "6cc4cc3d-b10a-4fac-be1e-55d384fc690e", "description": "The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/", "https://vulncheck.com/blog/juniper-cve-2023-36845"], "tags": {"analytic_story": ["Juniper JunOS Remote Code Execution"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1105", "T1059"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", "how_to_implement": "To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.", "known_false_positives": "Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "juniper_networks_remote_code_execution_exploit_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "author": "Jose Hernandez", "date": "2024-05-25", "version": 2, "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "description": "The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like `${jndi:ldap://` in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-257A", "CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "author": "Jose Hernandez", "date": "2024-05-16", "version": 2, "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "description": "The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as `${jndi:ldap://PAYLOAD_INJECTED}`, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"analytic_story": ["CISA AA22-320A", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "datamodel": ["Network_Traffic", "Web"], "source": "web", "nes_fields": null, "macros": [{"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Microsoft SharePoint Server Elevation of Privilege", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2024-05-19", "version": 2, "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859d", "description": "The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. It leverages the Web datamodel to monitor for specific API calls and HTTP methods indicative of privilege escalation attempts. This activity is significant as it may indicate an attacker is trying to gain unauthorized privileged access to the SharePoint environment. If confirmed malicious, the impact could include unauthorized access to sensitive data, potential data theft, and further compromise of the SharePoint server, leading to a broader security breach.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/LuemmelSec/CVE-2023-29357/blob/main/CVE-2023-29357/Program.cs"], "tags": {"analytic_story": ["Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Possible exploitation of CVE-2023-29357 against $dest$ from $src$.", "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/_api/web/siteusers*\",\"/_api/web/currentuser*\") Web.status=200 Web.http_method=GET by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_sharepoint_server_elevation_of_privilege_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint.", "known_false_positives": "False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "microsoft_sharepoint_server_elevation_of_privilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "Monitor Web Traffic For Brand Abuse", "author": "David Dorsey, Splunk", "date": "2024-05-20", "version": 2, "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "description": "The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the \"ESCU - DNSTwist Domain Names\" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.", "references": [], "tags": {"analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": [], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 2, "id": "b3f7a803-e802-448b-8eb2-e796b223bccc", "description": "The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via alternate paths or channels. It leverages Nginx access logs to identify web requests to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected ScreenConnect instance, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.", "references": ["https://docs.splunk.com/Documentation/AddOns/released/NGINX/Sourcetypes", "https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec", "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "tags": {"analytic_story": ["ConnectWise ScreenConnect Vulnerabilities"], "asset_type": "Web Proxy", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An authentication bypass attempt against ScreenConnect has been detected on $dest$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`nginx_access_logs` uri_path IN (\"*/SetupWizard.aspx/*\",\"*/SetupWizard/\") status=200 http_method=POST | stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nginx_connectwise_screenconnect_authentication_bypass_filter`", "how_to_implement": "To implement this analytic, ensure proper logging is occurring with Nginx, access.log and error.log, and that these logs are being ingested into Splunk. STRT utilizes this nginx.conf https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec to properly log as much data with Nginx.", "known_false_positives": "False positives are not expected, as the detection is based on the presence of web requests to the SetupWizard.aspx page, which is not a common page to be accessed by legitimate users. Note that the analytic is limited to HTTP POST and a status of 200 to reduce false positives. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "nginx_access_logs", "definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes"}, {"name": "nginx_connectwise_screenconnect_authentication_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "PaperCut NG Remote Web Access Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-23", "version": 2, "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "description": "The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities. This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges. This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server. If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}], "lookups": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "author": "Michael Haag, Splunk", "date": "2024-05-21", "version": 2, "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "description": "The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Correlation", "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "datamodel": ["Risk"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}], "lookups": []}, {"name": "Spring4Shell Payload URL Request", "author": "Michael Haag, Splunk", "date": "2024-05-26", "version": 2, "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "description": "The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like \"tomcatwar.jsp,\" \"poc.jsp,\" and \"shell.jsp.\" This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "risk_score": 36, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "SQL Injection with Long URLs", "author": "Bhavin Patel, Splunk", "date": "2024-05-12", "version": 4, "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "description": "The following analytic detects long URLs containing multiple SQL commands, indicating a potential SQL injection attack. This detection leverages web traffic data, specifically targeting web server destinations with URLs longer than 1024 characters or HTTP user agents longer than 200 characters. SQL injection is significant as it allows attackers to manipulate a web application's database, potentially leading to unauthorized data access or modification. If confirmed malicious, this activity could result in data breaches, unauthorized access, and complete system compromise. Immediate investigation and validation of alerts are crucial to mitigate these risks.", "references": [], "tags": {"analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "message": "SQL injection attempt with url $url$ detected on $dest$", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Supernova Webshell", "author": "John Stoner, Splunk", "date": "2024-05-26", "version": 2, "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "description": "The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing \"*logoimagehandler.ashx*codes*\", \"*logoimagehandler.ashx*clazz*\", \"*logoimagehandler.ashx*method*\", and \"*logoimagehandler.ashx*args*\". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "tbd", "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1505.003", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMWare Aria Operations Exploit Attempt", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "description": "The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint \"/saas./resttosaasservlet.\" This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1133", "T1190", "T1210", "T1068"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Server Side Template Injection Hunt", "author": "Michael Haag, Splunk", "date": "2024-05-12", "version": 2, "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "description": "The following analytic identifies potential server-side template injection attempts related to CVE-2022-22954. It detects suspicious URL patterns containing \"deviceudid\" and keywords like \"java.lang.ProcessBuilder\" or \"freemarker.template.utility.ObjectConstructor\" using web or proxy logs within the Web Datamodel. This activity is significant as it may indicate an attempt to exploit a known vulnerability in VMware, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise the affected system, posing a severe security risk.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 35, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Hunting", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 2, "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "description": "The following analytic detects server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. It leverages web or proxy logs to identify HTTP GET requests to the endpoint catalog-portal/ui/oauth/verify with the freemarker.template.utility.Execute command. This activity is significant as it indicates potential exploitation attempts that could lead to remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or further lateral movement within the network.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "datamodel": ["Web"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web JSP Request via URL", "author": "Michael Haag, Splunk", "date": "2024-05-15", "version": 2, "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "description": "The following analytic identifies URL requests associated with CVE-2022-22965 (Spring4Shell) exploitation attempts, specifically targeting webshell access on a remote webserver. It detects HTTP GET requests with URLs containing \".jsp?cmd=\" or \"j&cmd=\" patterns. This activity is significant as it indicates potential webshell deployment, which can lead to unauthorized remote command execution. If confirmed malicious, attackers could gain control over the webserver, execute arbitrary commands, and potentially escalate privileges, leading to severe data breaches and system compromise.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Remote ShellServlet Access", "author": "Michael Haag, Splunk", "date": "2024-05-19", "version": 3, "id": "c2a332c3-24a2-4e24-9455-0e80332e6746", "description": "The following analytic identifies attempts to access the Remote ShellServlet on a web server, specifically targeting Confluence servers vulnerable to CVE-2023-22518 and CVE-2023-22515. It leverages web data to detect URLs containing \"*plugins/servlet/com.jsos.shell/*\" with a status code of 200. This activity is significant as it is commonly associated with web shells and other malicious behaviors, potentially leading to unauthorized command execution. If confirmed malicious, attackers could gain remote code execution capabilities, compromising the server and potentially the entire network.", "references": ["http://www.servletsuite.com/servlets/shell.htm"], "tags": {"analytic_story": ["CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$.", "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*plugins/servlet/com.jsos.shell/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_remote_shellservlet_access_filter`", "how_to_implement": "This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.", "known_false_positives": "False positives may occur depending on the web server's configuration. If the web server is intentionally configured to utilize the Remote ShellServlet, then the detections by this analytic would not be considered true positives.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_remote_shellservlet_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "author": "Michael Haag, Splunk", "date": "2024-05-28", "version": 2, "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "description": "The following analytic detects HTTP requests containing payloads related to the Spring4Shell vulnerability (CVE-2022-22965). It leverages Splunk Stream HTTP data to inspect the HTTP request body and form data for specific fields such as \"class.module.classLoader.resources.context.parent.pipeline.first\". This activity is significant as it indicates an attempt to exploit a critical vulnerability in Spring Framework, potentially leading to remote code execution. If confirmed malicious, this could allow attackers to gain unauthorized access, execute arbitrary code, and compromise the affected system.", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Web Spring Cloud Function FunctionRouter", "author": "Michael Haag, Splunk", "date": "2024-05-22", "version": 2, "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "description": "The following analytic identifies HTTP POST requests to the Spring Cloud Function endpoint containing \"functionRouter\" in the URL. It leverages the Web data model to detect these requests based on specific fields such as http_method, url, and http_user_agent. This activity is significant because it targets CVE-2022-22963, a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept exploits available. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "risk_score": 42, "security_domain": "network", "risk_severity": "low", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "author": "Michael Haag, Nathaniel Stearns, Splunk", "date": "2024-05-16", "version": 2, "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "description": "The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"analytic_story": ["BlackByte Ransomware", "ProxyNotShell", "ProxyShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190", "T1133"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WordPress Bricks Builder plugin RCE", "author": "Michael Haag, Splunk", "date": "2024-05-17", "version": 2, "id": "56a8771a-3fda-4959-b81d-2f266e2f679f", "description": "The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path \"/wp-json/bricks/v1/render_element\" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "tags": {"analytic_story": ["WordPress Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$.", "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/wp-json/bricks/v1/render_element\") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.uri_path, Web.status, Web.http_method, sourcetype, source | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wordpress_bricks_builder_plugin_rce_filter`", "how_to_implement": "The search is based on data in the Web datamodel and was modeled from NGINX logs. Ensure that the Web datamodel is accelerated and that the data source for the Web datamodel is properly configured. If using other web sources, modify they query, or review the data, as needed.", "known_false_positives": "False positives may be possible, however we restricted it to HTTP Status 200 and POST requests, based on the POC. Upon investigation review the POST body for the actual payload - or command - being executed.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only"}, {"name": "wordpress_bricks_builder_plugin_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "WS FTP Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2024-05-11", "version": 2, "id": "b84e8f39-4e7b-4d4f-9e7c-fcd29a227845", "description": "The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests to the \"/AHT/AhtApiService.asmx/AuthUser\" URL with a status code of 200. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system.", "references": ["https://github.com/projectdiscovery/nuclei-templates/pull/8296/files", "https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://github.com/rapid7/metasploit-framework/pull/18414"], "tags": {"analytic_story": ["WS FTP Server Critical Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 13"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "url", "type": "URL String", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "message": "Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$", "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_id": ["T1190"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/AHT/AhtApiService.asmx/AuthUser\") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`", "how_to_implement": "The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.", "known_false_positives": "If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.", "datamodel": ["Web"], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ws_ftp_remote_code_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Adware Activities Threat Blocked", "author": "Gowthamaraj Rajendran, Splunk", "date": "2024-05-15", "version": 2, "id": "3407b250-345a-4d71-80db-c91e555a3ece", "description": "The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*adware* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_adware_activities_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_adware_activities_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-17", "version": 2, "id": "289ad59f-8939-4331-b805-f2bd51d36fb8", "description": "The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler's behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=\"Behavior Analysis\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_behavior_analysis_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_behavior_analysis_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365", "description": "The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 32, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*miner* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_cryptominer_downloaded_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_cryptominer_downloaded_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Employment Search Web Activity", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-11", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50e", "description": "The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as 'Job/Employment Search'. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 4, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlsupercategory=\"Job/Employment Search\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_employment_search_web_activity_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_employment_search_web_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Exploit Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-13", "version": 2, "id": "94665d8c-b841-4ff4-acb4-34d613e2cbfe", "description": "The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "TTP", "search": "`zscaler_proxy` action=blocked threatname=*exploit* | stats count min(_time) as firstTime max(_time) as lastTime by user threatname src hostname fileclass filename url dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_exploit_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": "user,dest", "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_exploit_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Legal Liability Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-23", "version": 2, "id": "bbf55ebf-c416-4f62-94d9-4064f2a28014", "description": "The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` urlclass=\"Legal Liability\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | dedup urlcategory | `zscaler_legal_liability_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_legal_liability_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Malware Activity Threat Blocked", "author": "Rod Soto, Gowthamaraj Rajendran, Splunk", "date": "2024-05-12", "version": 2, "id": "ae874ad8-e353-40a7-87d4-420cdfb27d1a", "description": "The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_malware_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_malware_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-12", "version": 2, "id": "68d3e2c1-e97f-4310-b080-dea180b48aa9", "description": "The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 16, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=\"HTML.Phish*\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_phishing_activity_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscalar configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_phishing_activity_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Potentially Abused File Download", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-22", "version": 2, "id": "b0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` url IN (\"*.scr\", \"*.dll\", \"*.bat\", \"*.lnk\") | stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_potentially_abused_file_download_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_potentially_abused_file_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-24", "version": 2, "id": "5456bdef-d765-4565-8e1f-61ca027bc50d", "description": "The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as \"Privacy Risk.\" Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked urlclass=\"Privacy Risk\" | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | dedup urlcategory | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_privacy_risk_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": ["Risk"], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_privacy_risk_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}], "lookups": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-27", "version": 2, "id": "a0c21379-f4ba-4bac-a958-897e260f964a", "description": "The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 8, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname=*scam* | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_scam_destinations_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_scam_destinations_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}, {"name": "Zscaler Virus Download threat blocked", "author": "Gowthamaraj Rajendran, Rod Soto, Splunk", "date": "2024-05-17", "version": 2, "id": "aa19e627-d448-4a31-85cd-82068dec5691", "description": "The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections.", "references": ["https://help.zscaler.com/zia/nss-feed-output-format-web-logs"], "tags": {"analytic_story": ["Zscaler Browser Proxy Threats"], "asset_type": "Web Server", "cis20": ["CIS 10"], "kill_chain_phases": [], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "url", "type": "URL String", "role": ["Attacker"]}], "message": "Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$].", "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "mitre_attack_id": ["T1566"], "mitre_attack_enrichments": []}, "type": "Anomaly", "search": "`zscaler_proxy` action=blocked threatname!=\"None\" threatclass=Virus | stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `zscaler_virus_download_threat_blocked_filter`", "how_to_implement": "You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the \"zscalernss-web\" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.", "known_false_positives": "False positives are limited to Zscaler configuration.", "datamodel": [], "source": "web", "nes_fields": null, "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "zscaler_proxy", "definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zscaler_virus_download_threat_blocked_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": []}]} \ No newline at end of file diff --git a/dist/api/lookups.json b/dist/api/lookups.json index 041026d296..bd56624501 100644 --- a/dist/api/lookups.json +++ b/dist/api/lookups.json @@ -1 +1 @@ -{"lookups": [{"filename": "data_sources.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "data_sources", "description": "A lookup file that will contain the data source objects for detections."}, {"filename": "3cx_ioc_domains.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack."}, {"filename": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl", "description": "Detect DNS Data Exfiltration using pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl", "description": "Detect suspicious DNS txt records using Pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl", "description": "Detect a suspicious processname using Pretrained Model in DSDL"}, {"filename": "__mlspl_pretrained_dga_model_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_pretrained_dga_model_dsdl", "description": "Detect DGA domains using Pretrained Model in DSDL"}, {"filename": "__mlspl_risky_spl_pre_trained_model.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_risky_spl_pre_trained_model", "description": "Detect Risky SPL using Pretrained ML Model"}, {"filename": "__mlspl_unusual_commandline_detection.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_unusual_commandline_detection", "description": "An MLTK model for detecting malicious commandlines"}, {"filename": "advanced_audit_policy_guids.csv", "default_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user"}, {"filename": "applockereventcodes.csv", "default_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes."}, {"filename": "asr_rules.csv", "default_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules."}, {"filename": "attacker_tools.csv", "default_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "attacker_tools", "description": "A list of tools used by attackers"}, {"filename": "aws_service_accounts.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts"}, {"filename": "baseline_blocked_outbound_connections.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections"}, {"filename": "brand_monitoring.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor"}, {"filename": "browser_app_list.csv", "default_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction."}, {"filename": "char_conversion_matrix.csv", "default_match": "false", "match_type": "WILDCARD(data)", "min_matches": 1, "case_sensitive_match": "true", "collection": null, "fields_list": null, "name": "char_conversion_matrix", "description": "A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding."}, {"filename": null, "default_match": "false", "match_type": "WILDCARD(filter)", "min_matches": null, "case_sensitive_match": "false", "collection": "cloud_instances_enough_data", "fields_list": "_key, filter, enough_data", "name": "cloud_instances_enough_data", "description": "A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches"}, {"filename": "discovered_dns_records.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "discovered_dns_records", "description": "A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records"}, {"filename": "domain_admins.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domain_admins", "description": "List of domain admins"}, {"filename": "domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domains", "description": "A list of domains that can be ignored"}, {"filename": "dynamic_dns_providers_default.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_default", "description": "A list of dynammic dns providers that should not be modified"}, {"filename": "dynamic_dns_providers_local.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_local", "description": "A list of dynammic dns providers that can be modified"}, {"filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs", "description": "A list of potentially abused libraries in Windows"}, {"filename": "hijacklibs_loaded.csv", "default_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows"}, {"filename": "images_to_repository.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "images_to_repository", "description": "Mapping images to repositories"}, {"filename": "is_net_windows_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_net_windows_file", "description": "A full baseline of executable files in \\Windows\\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline."}, {"filename": "is_nirsoft_software20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_nirsoft_software", "description": "A subset of utilities provided by NirSoft that may be used by adversaries."}, {"filename": "is_suspicious_file_extension_lookup.csv", "default_match": "false", "match_type": "WILDCARD(file_name)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_suspicious_file_extension_lookup", "description": "A list of suspicious extensions for email attachments"}, {"filename": "is_windows_system_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_windows_system_file", "description": "A full baseline of executable files in Windows\\System32 and Windows\\Syswow64, including sub-directories from Server 2016 and Windows 10."}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_ratio_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_baseline", "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key", "name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_ratio_baseline", "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen", "name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios"}, {"filename": "legit_domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "legit_domains", "description": "A list of legit domains to be used as an ignore list for possible phishing sites"}, {"filename": "linux_tool_discovery_process.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "linux_tool_discovery_process", "description": "A list of suspicious bash commonly used by attackers via scripts"}, {"filename": "local_file_inclusion_paths.csv", "default_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack"}, {"filename": "lolbas_file_path.csv", "default_match": "false", "match_type": "WILDCARD(lolbas_file_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lolbas_file_path", "description": "A list of LOLBAS and their file path used in determining if a script or binary is valid on windows"}, {"filename": "loldrivers.csv", "default_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "loldrivers", "description": "A list of known vulnerable drivers"}, {"filename": "rare_process_allow_list_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_default", "description": "A list of rare processes that are legitimate that is provided by Splunk"}, {"filename": "rare_process_allow_list_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_local", "description": "A list of rare processes that are legitimate provided by the end user"}, {"filename": "uncommon_processes_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_default", "description": "A list of processes that are not common"}, {"filename": "uncommon_processes_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_local", "description": "A list of processes that are not common"}, {"filename": "mandatory_job_for_workflow.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow"}, {"filename": "mandatory_step_for_job.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job"}, {"filename": "network_acl_activity_baseline.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_api_calls_from_user_roles", "fields_list": "_key,earliest,latest,userName,eventName", "name": "previously_seen_api_calls_from_user_roles", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_cross_account_activity", "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId", "name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_regions", "fields_list": "_key,earliest,latest,awsRegion", "name": "previously_seen_aws_regions", "description": "A place holder for a list of used AWS regions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_api_calls_per_user_role", "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_creations_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_images", "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data", "name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_instance_types", "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data", "name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_instance_modifications_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_regions", "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data", "name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities"}, {"filename": "previously_seen_cmd_line_arguments.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before"}, {"filename": "previously_seen_ec2_modifications_by_user.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri", "name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_running_windows_services", "fields_list": "_key, service, firstTimeSeen, lastTimeSeen", "name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_S3_access_from_remote_ip", "fields_list": "_key, bucket_name,remote_ip,earliest,latest", "name": "previously_seen_S3_access_from_remote_ip", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country", "name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed"}, {"filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles."}, {"filename": "prohibited_apps_launching_cmd20231221.csv", "default_match": "false", "match_type": "WILDCARD(prohibited_applications)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_apps_launching_cmd", "description": "A list of processes that should not be launching cmd.exe"}, {"filename": "prohibited_processes.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_processes", "description": "A list of processes that have been marked as prohibited"}, {"filename": "ransomware_extensions_20231219.csv", "default_match": "false", "match_type": "WILDCARD(Extensions)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_extensions_lookup", "description": "A list of file extensions that are associated with ransomware"}, {"filename": "ransomware_notes_20231219.csv", "default_match": "false", "match_type": "WILDCARD(ransomware_notes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_notes_lookup", "description": "A list of file names that are ransomware note files"}, {"filename": "remote_access_software.csv", "default_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "remote_access_software", "description": "A list of Remote Access Software"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls", "name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups"}, {"filename": "security_services.csv", "default_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "security_services_lookup", "description": "A list of services that deal with security"}, {"filename": "splunk_risky_command_20240601.csv", "default_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse"}, {"filename": "suspicious_files.csv", "default_match": "false", "match_type": "WILDCARD(file)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "suspicious_writes_lookup", "description": "A list of suspicious file names"}, {"filename": "windows_protocol_handlers.csv", "default_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "zoom_first_time_child_process", "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen", "name": "zoom_first_time_child_process", "description": "A list of suspicious file names"}]} \ No newline at end of file +{"lookups": [{"filename": "3cx_ioc_domains.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack."}, {"filename": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl", "description": "Detect DNS Data Exfiltration using pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl", "description": "Detect suspicious DNS txt records using Pretrained Model in DSDL"}, {"filename": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl", "description": "Detect a suspicious processname using Pretrained Model in DSDL"}, {"filename": "__mlspl_pretrained_dga_model_dsdl.mlmodel", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_pretrained_dga_model_dsdl", "description": "Detect DGA domains using Pretrained Model in DSDL"}, {"filename": "__mlspl_risky_spl_pre_trained_model.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_risky_spl_pre_trained_model", "description": "Detect Risky SPL using Pretrained ML Model"}, {"filename": "__mlspl_unusual_commandline_detection.mlmodel", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "__mlspl_unusual_commandline_detection", "description": "An MLTK model for detecting malicious commandlines"}, {"filename": "advanced_audit_policy_guids.csv", "default_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user"}, {"filename": "applockereventcodes.csv", "default_match": "false", "match_type": "WILDCARD(AppLocker_Event_Code)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "applockereventcodes", "description": "A csv of the ID and rule name for AppLocker event codes."}, {"filename": "asr_rules.csv", "default_match": "false", "match_type": "WILDCARD(ASR_Rule)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "asr_rules", "description": "A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules."}, {"filename": "attacker_tools.csv", "default_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "attacker_tools", "description": "A list of tools used by attackers"}, {"filename": "aws_service_accounts.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts"}, {"filename": "baseline_blocked_outbound_connections.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections"}, {"filename": "brand_monitoring.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor"}, {"filename": "browser_app_list.csv", "default_match": "false", "match_type": "WILDCARD(browser_process_name), WILDCARD(browser_object_path)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "browser_app_list", "description": "A list of known browser application being targeted for credential extraction."}, {"filename": "char_conversion_matrix.csv", "default_match": "false", "match_type": "WILDCARD(data)", "min_matches": 1, "case_sensitive_match": "true", "collection": null, "fields_list": null, "name": "char_conversion_matrix", "description": "A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding."}, {"filename": null, "default_match": "false", "match_type": "WILDCARD(filter)", "min_matches": null, "case_sensitive_match": "false", "collection": "cloud_instances_enough_data", "fields_list": "_key, filter, enough_data", "name": "cloud_instances_enough_data", "description": "A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches"}, {"filename": "data_sources.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "data_sources", "description": "Data source objects"}, {"filename": "discovered_dns_records.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "discovered_dns_records", "description": "A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records"}, {"filename": "domain_admins.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domain_admins", "description": "List of domain admins"}, {"filename": "domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "domains", "description": "A list of domains that can be ignored"}, {"filename": "dynamic_dns_providers_default.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_default", "description": "A list of dynammic dns providers that should not be modified"}, {"filename": "dynamic_dns_providers_local.csv", "default_match": "false", "match_type": "WILDCARD(dynamic_dns_domains)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "dynamic_dns_providers_local", "description": "A list of dynammic dns providers that can be modified"}, {"filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs", "description": "A list of potentially abused libraries in Windows"}, {"filename": "hijacklibs_loaded.csv", "default_match": "false", "match_type": "WILDCARD(library),WILDCARD(excludes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "hijacklibs_loaded", "description": "A list of potentially abused libraries in Windows"}, {"filename": "images_to_repository.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "images_to_repository", "description": "Mapping images to repositories"}, {"filename": "is_net_windows_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_net_windows_file", "description": "A full baseline of executable files in \\Windows\\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline."}, {"filename": "is_nirsoft_software20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_nirsoft_software", "description": "A subset of utilities provided by NirSoft that may be used by adversaries."}, {"filename": "is_suspicious_file_extension_lookup.csv", "default_match": "false", "match_type": "WILDCARD(file_name)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_suspicious_file_extension_lookup", "description": "A list of suspicious extensions for email attachments"}, {"filename": "is_windows_system_file20231221.csv", "default_match": "false", "match_type": null, "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "is_windows_system_file", "description": "A full baseline of executable files in Windows\\System32 and Windows\\Syswow64, including sub-directories from Server 2016 and Windows 10."}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_container_network_io_ratio_baseline", "fields_list": "key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen", "name": "k8s_container_network_io_ratio_baseline", "description": "A place holder for a list of used Kuberntes Container Network IO Ratio"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_baseline", "fields_list": "host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key", "name": "k8s_process_resource_baseline", "description": "A place holder for a list of used Kuberntes Process Resource"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "k8s_process_resource_ratio_baseline", "fields_list": "key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen", "name": "k8s_process_resource_ratio_baseline", "description": "A place holder for a list of used Kuberntes Process Ratios"}, {"filename": "legit_domains.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "legit_domains", "description": "A list of legit domains to be used as an ignore list for possible phishing sites"}, {"filename": "linux_tool_discovery_process.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "linux_tool_discovery_process", "description": "A list of suspicious bash commonly used by attackers via scripts"}, {"filename": "local_file_inclusion_paths.csv", "default_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack"}, {"filename": "lolbas_file_path.csv", "default_match": "false", "match_type": "WILDCARD(lolbas_file_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lolbas_file_path", "description": "A list of LOLBAS and their file path used in determining if a script or binary is valid on windows"}, {"filename": "loldrivers.csv", "default_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "loldrivers", "description": "A list of known vulnerable drivers"}, {"filename": "rare_process_allow_list_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_default", "description": "A list of rare processes that are legitimate that is provided by Splunk"}, {"filename": "rare_process_allow_list_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_rare_process_allow_list_local", "description": "A list of rare processes that are legitimate provided by the end user"}, {"filename": "uncommon_processes_default.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_default", "description": "A list of processes that are not common"}, {"filename": "uncommon_processes_local.csv", "default_match": "false", "match_type": "WILDCARD(process)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "lookup_uncommon_processes_local", "description": "A list of processes that are not common"}, {"filename": "mandatory_job_for_workflow.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow"}, {"filename": "mandatory_step_for_job.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job"}, {"filename": "network_acl_activity_baseline.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_api_calls_from_user_roles", "fields_list": "_key,earliest,latest,userName,eventName", "name": "previously_seen_api_calls_from_user_roles", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_cross_account_activity", "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId", "name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_aws_regions", "fields_list": "_key,earliest,latest,awsRegion", "name": "previously_seen_aws_regions", "description": "A place holder for a list of used AWS regions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_api_calls_per_user_role", "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_creations_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_images", "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data", "name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_compute_instance_types", "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data", "name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_instance_modifications_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data", "name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data", "name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_cloud_regions", "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data", "name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities"}, {"filename": "previously_seen_cmd_line_arguments.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before"}, {"filename": "previously_seen_ec2_modifications_by_user.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri", "name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_running_windows_services", "fields_list": "_key, service, firstTimeSeen, lastTimeSeen", "name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_S3_access_from_remote_ip", "fields_list": "_key, bucket_name,remote_ip,earliest,latest", "name": "previously_seen_S3_access_from_remote_ip", "description": "A placeholder for a list of IPs that have access S3"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country", "name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed"}, {"filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles."}, {"filename": "prohibited_apps_launching_cmd20231221.csv", "default_match": "false", "match_type": "WILDCARD(prohibited_applications)", "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_apps_launching_cmd", "description": "A list of processes that should not be launching cmd.exe"}, {"filename": "prohibited_processes.csv", "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "prohibited_processes", "description": "A list of processes that have been marked as prohibited"}, {"filename": "ransomware_extensions_20231219.csv", "default_match": "false", "match_type": "WILDCARD(Extensions)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_extensions_lookup", "description": "A list of file extensions that are associated with ransomware"}, {"filename": "ransomware_notes_20231219.csv", "default_match": "false", "match_type": "WILDCARD(ransomware_notes)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "ransomware_notes_lookup", "description": "A list of file names that are ransomware note files"}, {"filename": "remote_access_software.csv", "default_match": "false", "match_type": "WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "remote_access_software", "description": "A list of Remote Access Software"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls", "name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls", "name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups"}, {"filename": "security_services.csv", "default_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "security_services_lookup", "description": "A list of services that deal with security"}, {"filename": "splunk_risky_command_20240601.csv", "default_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse"}, {"filename": "suspicious_files.csv", "default_match": "false", "match_type": "WILDCARD(file)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "suspicious_writes_lookup", "description": "A list of suspicious file names"}, {"filename": "windows_protocol_handlers.csv", "default_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "case_sensitive_match": "false", "collection": null, "fields_list": null, "name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers"}, {"filename": null, "default_match": "false", "match_type": null, "min_matches": null, "case_sensitive_match": "false", "collection": "zoom_first_time_child_process", "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen", "name": "zoom_first_time_child_process", "description": "A list of suspicious file names"}]} \ No newline at end of file diff --git a/dist/api/macros.json b/dist/api/macros.json index d703b3edd4..028417b535 100644 --- a/dist/api/macros.json +++ b/dist/api/macros.json @@ -1 +1 @@ -{"macros": [{"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.", "name": "applocker"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "sourcetype=aws:config", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_config"}, {"definition": "sourcetype=\"aws:description\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_description"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users_asl"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "sourcetype=\"aws:securityhub:firehose\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_firehose"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_monitor_aad"}, {"definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azuread"}, {"definition": "eval b64x_split=split($b64in$,\"\") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,\"\") | rex field=b64x_join \"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "name": "base64decode"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_email"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new commands from user roles", "name": "cloud_api_calls_from_previously_unseen_user_roles_activity_window"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_eks"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_vpc"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "crushftp"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "null", "description": "Used inside security_content_summariesonly to adjust the fillnull configuration", "name": "fillnull_config"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubnet_message"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file_macro"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software_macro"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file_macro"}, {"definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_images"}, {"definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_locations"}, {"definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_agents"}, {"definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_groups"}, {"definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_names"}, {"definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_audit"}, {"definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_container_falco"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_metrics"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "ms_defender"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes", "name": "nginx_access_logs"}, {"definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_graph"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "true", "description": "Used inside security_content_summariesonly to adjust the allow_old_summaries configuration", "name": "oldsummaries_config"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "pingid"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud api calls per user role", "name": "previously_seen_cloud_api_calls_per_user_role_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_compute_creations_by_user_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the image is new or not", "name": "previously_seen_cloud_compute_image_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance images", "name": "previously_seen_cloud_compute_images_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance types", "name": "previously_seen_cloud_compute_instance_type_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the instance type is new or not", "name": "previously_seen_cloud_compute_instance_types_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud provisioning locations", "name": "previously_seen_cloud_provisioning_activity_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud regions", "name": "previously_seen_cloud_region_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the region is new or not", "name": "previously_seen_cloud_regions_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of Windows services", "name": "previously_seen_windows_services_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of zoom child processes", "name": "previously_seen_zoom_child_processes_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "(Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dsquery"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "(Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_fodhelper"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "(Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ntdsutil"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "(Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_vssadmin"}, {"definition": "(Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wbadmin"}, {"definition": "(Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wermgr"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd_macro"}, {"definition": "search *", "description": "This macro is deprecated. Update this macro to look for prohibited softwares in your environment", "name": "prohibited_softwares"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "eval domain=trim(domain,\"*\") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain=\"*\"+domain+\"*\"", "description": "This macro removes valid domains from the output", "name": "remove_valid_domains"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "s3_accesslogs"}, {"definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_investigation_rest_handler"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "index=_internal sourcetype=splunk_web_service", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webs"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "subjectinterfacepackage"}, {"definition": "false", "description": "Used inside security_content_summariesonly to adjust the summariesonly configuration", "name": "summariesonly_config"}, {"definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "suricata"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation.", "name": "uacbypass_process_name"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zscaler_proxy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "crushftp_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_idp_lifecycle_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_accounts_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_unauthorized_access_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_mismatch_auth_source_and_verification_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_after_credential_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_absolute_path_traversal_using_runshellscript_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_authentication_token_exposure_in_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_using_malformed_saml_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_post_request_datamodel_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_printf_search_function_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_kv_store_incorrect_authorization_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_windows_deserialization_file_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_through_investigation_attachments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_information_disclosure_in_splunk_add_on_builder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_information_disclosure_on_account_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_pdfgen_render_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_external_lookup_copybuckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_serialized_session_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_on_app_search_table_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_conf_web_settings_on_premises_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_specially_crafted_bulletin_message_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_dos_via_null_pointer_references_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_log_injection_web_service_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_path_traversal_modules_messaging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthorized_experimental_items_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthorized_notification_input_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_highlighted_json_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_external_urls_in_dashboards_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_attribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_device_code_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_denied_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_oauth_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_security_groups_modifications_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_access_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_outbound_network_io_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_outbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_traffic_on_network_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_create_or_update_privileged_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_cron_job_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_daemonset_deployed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_falco_shell_spawned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_tcp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_udp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_node_port_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_created_in_default_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_with_host_network_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_container_image_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_running_from_new_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_anomalous_resource_utilisation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_resource_ratio_anomalies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanning_by_unauthenticated_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_suspicious_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_unauthorized_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_advanced_audit_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_application_registration_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_applicationimpersonation_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_exported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_elevated_mailbox_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_file_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_privilege_role_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mail_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_email_forwarding_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_inbox_folder_shared_with_all_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_read_access_granted_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_mailboxes_accessed_via_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_forwarding_mailflow_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_ews_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_graph_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_security_and_compliance_alert_triggered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "risk_rule_for_dev_sec_ops_by_repository_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_windows_sacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certipy_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_fileinfo_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_mockbin_or_mocky_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_traffic_to_active_directory_web_services_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_services_add_trustedhost_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_script_block_with_url_chain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_webrequest_using_memory_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_executed_from_container_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_abused_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_none_disable_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_sam_account_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_with_netuser_preauthnotrequire_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_abnormal_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admin_permission_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___base64_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___executable_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___process_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_execution_from_uncommon_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_rare_application_launch_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_rar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autoit3_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bypass_uac_via_pkgmgr_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cab_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_common_abused_cmd_shell_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_conhost_with_headless_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_access_from_browser_password_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_debugger_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_audit_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rule_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rules_stacking_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_delete_or_modify_system_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_or_modify_tools_via_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_account_discovery_via_get_netcomputer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_admin_impersonation_indicator_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_executable_in_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_domain_organizational_units_with_getdomainou_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_forest_discovery_with_getforestdomain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_local_admin_with_findlocaladminaccess_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_health_check_intervals_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_throttle_rate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_tracing_level_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_configure_app_install_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_define_win_defender_threat_action_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_controlled_folder_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_firewall_and_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_protocol_recognition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_pua_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_realtime_signature_delivery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_web_evaluation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_app_guard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_gen_reports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_network_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_report_infection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_scan_on_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_signature_retirement_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_overide_win_defender_phishing_filter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_override_smartscreen_prompt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indicator_removal_via_rmdir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_inprocserver32_new_outlook_form_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_abused_dll_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_graphicalproton_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lsa_secrets_nolmhash_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mark_of_the_web_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_msdtc_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_authenticationleveloverride_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_restricted_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disableremotedesktopantialias_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disablesecuritysettings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_dontshowui_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_enablelinkedconnections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_longpathsenabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_maxconnectionperserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_nochangingwallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyenable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_with_md5_reg_key_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_system_firewall_with_notable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_writing_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_hidewindow_rundll32_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_windbg_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_account_passwords_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_new_inprocserver32_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_njrat_fileless_storage_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_discord_app_access_discord_leveldb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_parent_pid_spoofing_with_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_outlook_drop_dll_in_form_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_post_exploitation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_remotesigned_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_suspicious_process_elevation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_system_process_without_system_parent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_user_process_spawn_system_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_commandline_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_in_non_service_searchindexer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_writing_file_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_payload_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_sip_provider_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_apply_user_settings_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_service_spawned_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_provider_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_winverifytrust_failed_trust_validation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_soaphound_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sql_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sqlwriter_sqldumper_dll_sideload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_suspect_process_with_authentication_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_privilege_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_via_choice_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_escalation_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsecured_outlook_credentials_access_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_in_same_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_ms_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_windbg_spawning_autoit3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrar_spawning_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_volume_of_bytes_out_to_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_access_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cisco_ios_xe_implant_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_exploitation_cve_2023_3519_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_sharefile_exploitation_cve_2023_24489_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_cve_2023_22515_trigger_vulnerability_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_data_center_and_server_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_tmui_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_command_injection_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_ssrf_in_saml_component_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_sentry_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jenkins_arbitrary_file_read_cve_2024_23897_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_rce_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "juniper_networks_remote_code_execution_exploit_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "microsoft_sharepoint_server_elevation_of_privilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nginx_connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_remote_shellservlet_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wordpress_bricks_builder_plugin_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ws_ftp_remote_code_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_adware_activities_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_behavior_analysis_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_cryptominer_downloaded_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_employment_search_web_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_exploit_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_legal_liability_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_malware_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_phishing_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_potentially_abused_file_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_privacy_risk_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_scam_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_virus_download_threat_blocked_filter"}]} \ No newline at end of file +{"macros": [{"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "sourcetype=aws:cloudtrail:lake", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "(source=\"WinEventLog:Microsoft-Windows-AppLocker/*\" OR source=\"XmlWinEventLog:Microsoft-Windows-AppLocker/*\")", "description": "This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.", "name": "applocker"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "sourcetype=aws:config", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_config"}, {"definition": "sourcetype=\"aws:description\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_description"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "actor.user.name IN (admin)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users_asl"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "sourcetype=\"aws:securityhub:firehose\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_firehose"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_monitor_aad"}, {"definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azuread"}, {"definition": "eval b64x_split=split($b64in$,\"\") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,\"\") | rex field=b64x_join \"(?.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "name": "base64decode"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_email"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new commands from user roles", "name": "cloud_api_calls_from_previously_unseen_user_roles_activity_window"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_eks"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatch_vpc"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "sourcetype=\"crushftp:sessionlogs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "crushftp"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default) |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "null", "description": "Used inside security_content_summariesonly to adjust the fillnull configuration", "name": "fillnull_config"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubnet_message"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file_macro"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software_macro"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file_macro"}, {"definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_images"}, {"definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_locations"}, {"definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_agents"}, {"definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_groups"}, {"definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_names"}, {"definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_audit"}, {"definition": "sourcetype=\"kube:container:falco\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_container_falco"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_metrics"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "ms_defender"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "(sourcetype=\"nginx:plus:kv\" OR sourcetype=\"nginx:plus:access\")", "description": "This is the base macro for Nginx sourcetypes", "name": "nginx_access_logs"}, {"definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_graph"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "eventtype=okta_log OR sourcetype = \"OktaIM2:log\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "true", "description": "Used inside security_content_summariesonly to adjust the allow_old_summaries configuration", "name": "oldsummaries_config"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "pingid"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud api calls per user role", "name": "previously_seen_cloud_api_calls_per_user_role_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_compute_creations_by_user_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the image is new or not", "name": "previously_seen_cloud_compute_image_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance images", "name": "previously_seen_cloud_compute_images_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance types", "name": "previously_seen_cloud_compute_instance_type_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the instance type is new or not", "name": "previously_seen_cloud_compute_instance_types_search_window_begin_offset"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not", "name": "previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud provisioning locations", "name": "previously_seen_cloud_provisioning_activity_forget_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud regions", "name": "previously_seen_cloud_region_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the region is new or not", "name": "previously_seen_cloud_regions_search_window_begin_offset"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of Windows services", "name": "previously_seen_windows_services_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of zoom child processes", "name": "previously_seen_zoom_child_processes_forget_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "(Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dsquery"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "(Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_fodhelper"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "(Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ntdsutil"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "(Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_vssadmin"}, {"definition": "(Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wbadmin"}, {"definition": "(Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wermgr"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd_macro"}, {"definition": "search *", "description": "This macro is deprecated. Update this macro to look for prohibited softwares in your environment", "name": "prohibited_softwares"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "eval domain=trim(domain,\"*\") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain=\"*\"+domain+\"*\"", "description": "This macro removes valid domains from the output", "name": "remove_valid_domains"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "s3_accesslogs"}, {"definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_investigation_rest_handler"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "index=_internal sourcetype=splunk_web_service", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webs"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "subjectinterfacepackage"}, {"definition": "false", "description": "Used inside security_content_summariesonly to adjust the summariesonly configuration", "name": "summariesonly_config"}, {"definition": "sourcetype=suricata", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "suricata"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation.", "name": "uacbypass_process_name"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "source=\"XmlWinEventLog:Security\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "source=zscaler sourcetype=zscalernss-web", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zscaler_proxy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "crushftp_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_distributed_password_spray_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_password_spray_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_idp_lifecycle_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_accounts_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_unauthorized_access_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_mismatch_auth_source_and_verification_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_after_credential_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_absolute_path_traversal_using_runshellscript_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_authentication_token_exposure_in_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_using_malformed_saml_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_post_request_datamodel_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_printf_search_function_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_kv_store_incorrect_authorization_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_windows_deserialization_file_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_through_investigation_attachments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_information_disclosure_in_splunk_add_on_builder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_information_disclosure_on_account_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_pdfgen_render_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_external_lookup_copybuckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_serialized_session_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_on_app_search_table_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_conf_web_settings_on_premises_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_specially_crafted_bulletin_message_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_dos_via_null_pointer_references_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_log_injection_web_service_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_path_traversal_modules_messaging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthorized_experimental_items_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthorized_notification_input_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_highlighted_json_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_external_urls_in_dashboards_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_add_self_to_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_increase_in_group_or_object_modification_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_increase_in_user_modification_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_attribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_device_code_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_denied_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_oauth_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_security_groups_modifications_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_access_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_outbound_network_io_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_outbound_network_activity_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_traffic_on_network_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_create_or_update_privileged_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_cron_job_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_daemonset_deployed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_falco_shell_spawned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_tcp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_newly_seen_udp_edge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_node_port_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_created_in_default_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_pod_with_host_network_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_container_image_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_running_from_new_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_anomalous_resource_utilisation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_resource_ratio_anomalies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanning_by_unauthenticated_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_suspicious_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_unauthorized_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_admin_consent_bypassed_by_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_advanced_audit_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_application_registration_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_applicationimpersonation_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_exported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_compliance_content_search_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_elevated_mailbox_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_file_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_fullaccessasapp_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_privilege_role_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mail_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_email_forwarding_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_folder_read_permission_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_inbox_folder_shared_with_all_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_read_access_granted_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_mailboxes_accessed_via_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_sp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_service_principals_created_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_email_forwarding_rule_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_forwarding_mailflow_rule_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_ews_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_oauth_app_mailbox_access_via_graph_api_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_privileged_graph_api_permission_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_security_and_compliance_alert_triggered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "risk_rule_for_dev_sec_ops_by_repository_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_path_traversal_windows_sacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certipy_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_fileinfo_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_mockbin_or_mocky_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_traffic_to_active_directory_web_services_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_services_add_trustedhost_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_script_block_with_url_chain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_webrequest_using_memory_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_executed_from_container_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_abused_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_none_disable_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_sam_account_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_with_netuser_preauthnotrequire_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_abnormal_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admin_permission_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___base64_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___executable_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___process_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_execution_from_uncommon_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_privilege_escalation_via_unauthorized_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_applocker_rare_application_launch_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_rar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autoit3_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bypass_uac_via_pkgmgr_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cab_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_common_abused_cmd_shell_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_conhost_with_headless_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_access_from_browser_password_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_debugger_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_audit_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rule_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rules_stacking_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_delete_or_modify_system_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_or_modify_tools_via_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_account_discovery_via_get_netcomputer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_admin_impersonation_indicator_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_executable_in_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_domain_organizational_units_with_getdomainou_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_forest_discovery_with_getforestdomain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_local_admin_with_findlocaladminaccess_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_health_check_intervals_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_quick_scan_interval_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_throttle_rate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_change_win_defender_tracing_level_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_configure_app_install_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_define_win_defender_threat_action_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_controlled_folder_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_firewall_and_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_defender_protocol_recognition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_pua_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_realtime_signature_delivery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_web_evaluation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_app_guard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_compute_file_hashes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_gen_reports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_network_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_report_infection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_scan_on_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_disable_win_defender_signature_retirement_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_overide_win_defender_phishing_filter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_override_smartscreen_prompt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indicator_removal_via_rmdir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_inprocserver32_new_outlook_form_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_abused_dll_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_graphicalproton_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lsa_secrets_nolmhash_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mark_of_the_web_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_msdtc_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_authenticationleveloverride_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_restricted_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disableremotedesktopantialias_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disablesecuritysettings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_dontshowui_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_enablelinkedconnections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_longpathsenabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_maxconnectionperserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_nochangingwallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyenable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_with_md5_reg_key_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_system_firewall_with_notable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_writing_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_hidewindow_rundll32_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_windbg_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_account_passwords_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_accounts_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_network_share_interaction_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_new_inprocserver32_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_njrat_fileless_storage_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_discord_app_access_discord_leveldb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_parent_pid_spoofing_with_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_outlook_drop_dll_in_form_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_post_exploitation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_remotesigned_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_suspicious_process_elevation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_system_process_without_system_parent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_privilege_escalation_user_process_spawn_system_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_commandline_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_in_non_service_searchindexer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_writing_file_to_world_writable_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_payload_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_sip_provider_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_apply_user_settings_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_service_spawned_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_provider_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_winverifytrust_failed_trust_validation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_soaphound_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sql_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sqlwriter_sqldumper_dll_sideload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_suspect_process_with_authentication_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_privilege_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_via_choice_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_escalation_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsecured_outlook_credentials_access_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_in_same_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_ms_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_installed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_windbg_spawning_autoit3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrar_spawning_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_volume_of_bytes_out_to_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "internal_horizontal_port_scan_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "internal_vertical_port_scan_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "internal_vulnerability_scan_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_access_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cisco_ios_xe_implant_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_exploitation_cve_2023_3519_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_sharefile_exploitation_cve_2023_24489_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_cve_2023_22515_trigger_vulnerability_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_data_center_and_server_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_remote_access_software_usage_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_tmui_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_command_injection_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_ssrf_in_saml_component_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_connect_secure_system_information_access_via_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_sentry_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jenkins_arbitrary_file_read_cve_2024_23897_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_rce_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "juniper_networks_remote_code_execution_exploit_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "microsoft_sharepoint_server_elevation_of_privilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nginx_connectwise_screenconnect_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_remote_shellservlet_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wordpress_bricks_builder_plugin_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ws_ftp_remote_code_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_adware_activities_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_behavior_analysis_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_cryptominer_downloaded_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_employment_search_web_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_exploit_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_legal_liability_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_malware_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_phishing_activity_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_potentially_abused_file_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_privacy_risk_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_scam_destinations_threat_blocked_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zscaler_virus_download_threat_blocked_filter"}]} \ No newline at end of file diff --git a/dist/api/stories.json b/dist/api/stories.json index 529696f82d..3f56996757 100644 --- a/dist/api/stories.json +++ b/dist/api/stories.json @@ -1,5 +1 @@ -<<<<<<< HEAD -{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Authentication", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": []}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Resolution", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "086b18bb-dc9d-43a7-93c4-661ec62d493b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": []}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": []}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Resolution", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": []}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change_Analysis", "Change", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": []}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": []}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": []}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": []}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": []}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Gomir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 1, "id": "02dbfda2-45fe-4731-a659-91fa871019ba", "description": "This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.", "references": ["https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-via-trojanized-installers/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"], "narrative": "The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Network_Resolution", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Traffic", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": []}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": []}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Network_Resolution", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Authentication", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Splunk_Audit"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk CSRF in the SSG kvstore Client Endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DoS via POST Request Datamodel Endpoint - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk Information Disclosure on Account Login - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE PDFgen Render - Rule", "ESCU - Splunk RCE via External Lookup Copybuckets - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS conf-web Settings on Premises - Rule", "ESCU - Splunk Stored XSS via Data Model objectName Field - Rule", "ESCU - Splunk Stored XSS via Specially Crafted Bulletin Message - Rule", "ESCU - Splunk Unauthenticated DoS via Null Pointer References - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk Unauthenticated Path Traversal Modules Messaging - Rule", "ESCU - Splunk Unauthorized Experimental Items Creation - Rule", "ESCU - Splunk Unauthorized Notification Input by User - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS Privilege Escalation via Custom Urls in Dashboard - Rule", "ESCU - Splunk XSS Via External Urls in Dashboards SSRF - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Information Disclosure on Account Login", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE PDFgen Render", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Notification Input by User", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": []}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": []}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": []}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Web", "Change", "Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Web", "Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": []}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": []}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": []}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": []}]}]} -======= -{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Network_Traffic", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": []}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Web", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "373b37a9-0939-4295-aa1b-ded8d043a95c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": []}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": []}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Web", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": []}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Change_Analysis", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": []}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": []}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": []}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": []}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": []}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Gomir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 1, "id": "02dbfda2-45fe-4731-a659-91fa871019ba", "description": "This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.", "references": ["https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-via-trojanized-installers/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"], "narrative": "The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Network_Traffic", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Web", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": []}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": []}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Change", "Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication", "Change", "Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Splunk_Audit"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk CSRF in the SSG kvstore Client Endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DoS via POST Request Datamodel Endpoint - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk Information Disclosure on Account Login - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE PDFgen Render - Rule", "ESCU - Splunk RCE via External Lookup Copybuckets - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS conf-web Settings on Premises - Rule", "ESCU - Splunk Stored XSS via Data Model objectName Field - Rule", "ESCU - Splunk Stored XSS via Specially Crafted Bulletin Message - Rule", "ESCU - Splunk Unauthenticated DoS via Null Pointer References - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk Unauthenticated Path Traversal Modules Messaging - Rule", "ESCU - Splunk Unauthorized Experimental Items Creation - Rule", "ESCU - Splunk Unauthorized Notification Input by User - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS Privilege Escalation via Custom Urls in Dashboard - Rule", "ESCU - Splunk XSS Via External Urls in Dashboards SSRF - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Information Disclosure on Account Login", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE PDFgen Render", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Notification Input by User", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": []}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": []}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": []}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change", "Web", "Updates", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Web", "Updates", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": []}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": []}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": []}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": []}]}]} ->>>>>>> develop +{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Anomalous Outbound Network Activity from Process - Rule", "ESCU - Kubernetes Anomalous Traffic on Network Edge - Rule", "ESCU - Kubernetes newly seen TCP edge - Rule", "ESCU - Kubernetes newly seen UDP edge - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Previously Unseen Process - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Outbound Network Activity from Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Anomalous Traffic on Network Edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen TCP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes newly seen UDP edge", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Previously Unseen Process", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Deletion of SSL Certificate - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Account Manipulation Of SSH Config and Keys", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion of SSL Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Network Share Interaction With Net - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Network Share Interaction With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\nThis Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Change", "Authentication", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.\nIt is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Short Lived Windows Accounts - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Windows Accounts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Distributed Password Spray Attempts - Rule", "ESCU - Detect Password Spray Attempts - Rule", "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule", "ESCU - Detect Excessive User Account Lockouts - Rule", "ESCU - Windows Create Local Account - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Distributed Password Spray Attempts", "source": "application", "type": "Hunting", "tags": []}, {"name": "Detect Password Spray Attempts", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect Excessive Account Lockouts From Endpoint", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Excessive User Account Lockouts", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Create Local Account", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows AD add Self to Group - Rule", "ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows Network Share Interaction With Net - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Windows AD add Self to Group", "source": "application", "type": "TTP", "tags": []}, {"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Network Share Interaction With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures.\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack.\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["Get Notable History", "Investigate Suspicious Strings in HTTP Header", "Investigate Web POSTs From src"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": []}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "APT29 Diplomatic Deceptions with WINELOADER", "author": "Michael Haag, splunk", "date": "2024-03-26", "version": 1, "id": "7cb5fdb5-4c36-4721-8b0a-4cc5e78afadd", "description": "APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities.", "references": ["https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"], "narrative": "APT29, also known as Cozy Bear, has historically focused on espionage activities aligned with Russian intelligence interests. In recent campaigns, APT29 has notably shifted its operational focus, targeting not only its traditional diplomatic missions but also expanding into the political domain, specifically German political parties. These campaigns have been characterized by the deployment of WINELOADER, a sophisticated backdoor that facilitates the exfiltration of sensitive information. The use of themed lures, such as invitations from the Ambassador of India and CDU-themed documents, highlights APT29's strategic use of social engineering to compromise targets. The operations against European diplomats and German political entities reveal APT29's adaptive tactics and its persistent effort to gather intelligence that could influence Russia's geopolitical strategy. The precision of these attacks, coupled with the use of compromised websites for command and control, underscores the evolving threat landscape and the need for heightened cybersecurity vigilance among potential targets.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule", "ESCU - Windows Process Writing File to World Writable Path - Rule", "ESCU - Windows SqlWriter SQLDumper DLL Sideload - Rule", "ESCU - Windows Unsigned MS DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Writing File to World Writable Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SqlWriter SQLDumper DLL Sideload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned MS DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["Get First Occurrence and Last Occurrence of a MAC Address", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": []}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["AWS Investigate User Activities By AccessKeyId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - ASL AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Update Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS IAM Failure Group Deletion - Rule", "ESCU - ASL AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule", "ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS CreateAccessKey", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Cloud Network Access Control List Deleted - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Network Access Control List Deleted", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "references": ["https://aws.amazon.com/security-hub/features/"], "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage.\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Excessive Security Scanning - Rule", "ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": []}, {"name": "ASL AWS Excessive Security Scanning", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule", "ESCU - Windows Multiple Account Passwords Changed - Rule", "ESCU - Windows Multiple Accounts Deleted - Rule", "ESCU - Windows Multiple Accounts Disabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Windows Multiple Account Passwords Changed", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Deleted", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Accounts Disabled", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SchCache Change By App Connect And Create ADSI Object - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SchCache Change By App Connect And Create ADSI Object", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution", "Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "1350df5c-64af-4c4a-bc72-c91d23795426", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls.\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures.\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution.\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception.\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used.\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": []}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\n- What is the default, or normal, process lineage for spawnto_ value?\n- Does the spawnto_ value make network connections?\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["Get Notable History", "Investigate Network Traffic From src ip"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\nAttacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence.\nUse the searches to detect and monitor suspicious behavior related to these activities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": []}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Distributed Password Spray Attempts - Rule", "ESCU - Detect Password Spray Attempts - Rule", "ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - ASL AWS Password Policy Changes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Detect Distributed Password Spray Attempts", "source": "application", "type": "Hunting", "tags": []}, {"name": "Detect Password Spray Attempts", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": []}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": []}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "ASL AWS Password Policy Changes", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Confluence Data Center and Confluence Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-22", "version": 1, "id": "509387a5-ab53-4656-8bb5-4bc8c2c074d9", "description": "The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.", "references": ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"], "narrative": "The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ConnectWise ScreenConnect Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-21", "version": 1, "id": "fbee3185-748c-40d8-a60c-c2e2c9eb738b", "description": "This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.", "references": ["https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass", "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"], "narrative": "The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - ConnectWise ScreenConnect Path Traversal - Rule", "ESCU - ConnectWise ScreenConnect Path Traversal Windows SACL - Rule", "ESCU - ConnectWise ScreenConnect Authentication Bypass - Rule", "ESCU - Nginx ConnectWise ScreenConnect Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "ConnectWise ScreenConnect Path Traversal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Path Traversal Windows SACL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}, {"name": "Nginx ConnectWise ScreenConnect Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["Investigate Failed Logins for Multiple Destinations", "Investigate Pass the Hash Attempts", "Investigate Pass the Ticket Attempts", "Investigate Previous Unseen User"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CrushFTP Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-05-16", "version": 1, "id": "933df821-3b75-4669-a58a-e85d2cd7b9b0", "description": "CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox.", "references": ["https://github.com/airbus-cert/CVE-2024-4040", "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/"], "narrative": "CVE-2024-4040 exposes a severe server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. The vulnerability was urgently addressed by CrushFTP with a patch after it was actively exploited in the wild, highlighting the necessity for immediate updates to secure server environments. Users operating behind a DMZ are reported to have an additional layer of protection against this exploit. The discovery and subsequent reporting of this vulnerability by Simon Garrelou of Airbus CERT prompted a swift response from CrushFTP, underscoring the critical nature of the flaw and the potential risks associated with delayed patching. This incident serves as a stark reminder of the importance of maintaining up-to-date software to defend against evolving cybersecurity threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CrushFTP Server Side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CrushFTP Server Side Template Injection", "source": "application", "type": "TTP", "tags": []}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation.\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints.\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": []}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch.\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access.\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency.\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing.\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available.\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Cyclops Blink", "author": "Teoderick Contreras, Splunk", "date": "2024-03-14", "version": 2, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components.\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - High Volume of Bytes Out to Url - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": []}, {"name": "High Volume of Bytes Out to Url", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change_Analysis", "Change", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "references": ["https://attack.mitre.org/techniques/T1140/"], "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority.\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN.\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Logon Rights Modifications For Endpoint", "Get Logon Rights Modifications For User", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get All AWS Activity From City", "Get All AWS Activity From Country", "Get All AWS Activity From IP Address", "Get All AWS Activity From Region"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["Get Certificate logs for a domain"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["All backup logs for host", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "references": ["https://meltdownattack.com/"], "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate Security Hub alerts by dest", "AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get EC2 Launch Details", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised.\nSearches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get EC2 Instance Details by instanceId", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["Get Emails From Specific Sender", "Get Notable History", "Get Web Session Information via session id"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - ASL AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - ASL AWS ECR Container Upload Unknown User - Rule", "ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "ASL AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "ASL AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": []}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": []}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity.\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure.\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process File Activity", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well.\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days:\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well.\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["Get DNS Server History for a host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "references": ["https://attack.mitre.org/techniques/T1482/"], "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Web", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Emotet Malware DHS Report TA18-201A", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants.\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic", "Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions.\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": []}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": []}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": []}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Google cloud accounts.", "tags": {"category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": []}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Gomir", "author": "Teoderick Contreras, Splunk", "date": "2024-05-29", "version": 1, "id": "02dbfda2-45fe-4731-a659-91fa871019ba", "description": "This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.", "references": ["https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-via-trojanized-installers/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"], "narrative": "The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get History Of Email Sources", "Get Notable History", "Get Outbound Emails to Hidden Cobra Threat Actors", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "references": ["https://attack.mitre.org/techniques/T1105/"], "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution", "Authentication", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti Connect Secure VPN Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-16", "version": 1, "id": "e3b5c3b8-082b-4b4e-b2c9-47ed79e2a5ab", "description": "The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.", "references": ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"], "narrative": "Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure Command Injection Attempts", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure SSRF in SAML Component", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti Connect Secure System Information Access via Auth Bypass", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server.\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/.\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": []}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges.\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry.\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names.\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Jenkins Server Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-01-29", "version": 1, "id": "789e76e6-4b5e-4af3-ab8c-46578d84ccff", "description": "This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "references": ["https://www.jenkins.io/security/advisory/2024-01-24/"], "narrative": "The following analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. Jenkins is a popular open-source automation server that is used to automate tasks associated with building, testing, and deploying software. Jenkins is often used in DevOps environments and is a critical component of the software development lifecycle. As a result, Jenkins servers are often targeted by adversaries to gain access to sensitive information, credentials, and other critical assets. This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Jenkins Arbitrary File Read CVE-2024-23897 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Jenkins Arbitrary File Read CVE-2024-23897", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "JetBrains TeamCity Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-03-04", "version": 1, "id": "3cd841e8-2f64-45e8-b148-7767255db111", "description": "This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk.", "references": ["https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/", "https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/", "https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/"], "narrative": "JetBrains TeamCity is a continuous integration and deployment server that allows developers to automate the process of building, testing, and deploying code. It is a popular tool used by many organizations to streamline their development and deployment processes. However, like any software, JetBrains TeamCity is not immune to vulnerabilities.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - JetBrains TeamCity Authentication Bypass CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 - Rule", "ESCU - JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity Authentication Bypass CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199", "source": "web", "type": "TTP", "tags": []}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication.\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts.\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution.\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["Amazon EKS Kubernetes activity by src ip", "GCP Kubernetes activity by src ip", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "references": ["https://kubernetes.io/docs/concepts/security/"], "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - Kubernetes Create or Update Privileged Pod - Rule", "ESCU - Kubernetes Cron Job Creation - Rule", "ESCU - Kubernetes DaemonSet Deployed - Rule", "ESCU - Kubernetes Falco Shell Spawned - Rule", "ESCU - Kubernetes Node Port Creation - Rule", "ESCU - Kubernetes Pod Created in Default Namespace - Rule", "ESCU - Kubernetes Pod With Host Network Attachment - Rule", "ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Create or Update Privileged Pod", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Cron Job Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes DaemonSet Deployed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Falco Shell Spawned", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Node Port Creation", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod Created in Default Namespace", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Pod With Host Network Attachment", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Scanning by Unauthenticated IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "references": ["https://gtfobins.github.io/"], "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "references": ["https://lolbas-project.github.io/"], "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "tags": {"category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land Detection - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Living Off The Land Detection", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk", "Web", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": []}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": []}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\nThe following factors may assist you in determining whether the event is malicious:\n1. Country of origin\n1. Responsible party\n1. Fully qualified domain names associated with the external IP address\n1. Registration of fully qualified domain names associated with external IP address\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "tags": {"category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "references": ["https://learn.cisecurity.org/20-controls-download"], "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": []}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "tags": {"category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux System Network Discovery - Rule", "ESCU - Windows Network Share Interaction With Net - Rule", "ESCU - Internal Horizontal Port Scan - Rule", "ESCU - Internal Vertical Port Scan - Rule", "ESCU - Internal Vulnerability Scan - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Network Share Interaction With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Internal Horizontal Port Scan", "source": "network", "type": "TTP", "tags": []}, {"name": "Internal Vertical Port Scan", "source": "network", "type": "TTP", "tags": []}, {"name": "Internal Vulnerability Scan", "source": "network", "type": "TTP", "tags": []}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk", "date": "2020-12-14", "version": 3, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.", "references": ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"], "narrative": "This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Web", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Michael Haag, Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Azure AD Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Azure AD Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Authentication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 Security And Compliance Alert Triggered - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Security And Compliance Alert Triggered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Office 365 Collection Techniques", "author": "Mauricio Velazco, Splunk", "date": "2024-02-12", "version": 1, "id": "d90f2b80-f675-4717-90af-12fc8c438ae8", "description": "Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.", "references": [], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information", "tags": {"category": ["Adversary Tactics", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Compliance Content Search Exported - Rule", "ESCU - O365 Compliance Content Search Started - Rule", "ESCU - O365 Elevated Mailbox Permission Assigned - Rule", "ESCU - O365 Mailbox Email Forwarding Enabled - Rule", "ESCU - O365 Mailbox Folder Read Permission Assigned - Rule", "ESCU - O365 Mailbox Folder Read Permission Granted - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 New Email Forwarding Rule Created - Rule", "ESCU - O365 New Email Forwarding Rule Enabled - Rule", "ESCU - O365 New Forwarding Mailflow Rule Created - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Exported", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Compliance Content Search Started", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Elevated Mailbox Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Email Forwarding Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Folder Read Permission Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Mailboxes Accessed via API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Email Forwarding Rule Enabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New Forwarding Mailflow Rule Created", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via EWS", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 OAuth App Mailbox Access via Graph API", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "O365 Suspicious Rights Delegation", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "O365 Suspicious User Email Forwarding", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Admin Consent Bypassed by Service Principal", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 FullAccessAsApp Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Multiple Service Principals Created by SP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 Multiple Service Principals Created by User", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Privileged Graph API Permission Assigned", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": []}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Okta Account Takeover", "author": "Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk", "date": "2024-03-06", "version": 1, "id": "83a48657-8153-4580-adba-eb0b3a83244e", "description": "The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.", "references": ["https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover", "https://www.okta.com/customer-identity/"], "narrative": "Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta Authentication Failed During MFA Challenge - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multi-Factor Authentication Disabled - Rule", "ESCU - Okta Multiple Accounts Locked Out - Rule", "ESCU - Okta Multiple Failed MFA Requests For User - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Successful Single Factor Authentication - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Unauthorized Access to Application - Rule", "ESCU - Okta User Logins from Multiple Cities - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Bhavin Patel, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Authentication Failed During MFA Challenge", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multi-Factor Authentication Disabled", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Multiple Accounts Locked Out", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed MFA Requests For User", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Multiple Users Failing To Authenticate From Ip", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Successful Single Factor Authentication", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Unauthorized Access to Application", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta User Logins from Multiple Cities", "source": "application", "type": "Anomaly", "tags": []}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": []}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": []}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Outlook RCE CVE-2024-21378", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2024-03-20", "version": 1, "id": "d889fcf2-0265-4b44-b29f-4ec063c21880", "description": "CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk.", "references": ["https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/"], "narrative": "CVE-2024-21378 is a weakness in Microsoft Outlook that lets hackers execute code remotely if they can authenticate themselves. Researchers at NetSPI found this issue in 2023. The problem started with a technique from 2017 by Etienne Stalmans at SensePost, who found a way to run code using VBScript in Outlook forms. Microsoft tried to fix it by only allowing approved script code in custom forms, but they didn't fix the main issue, which is how these forms sync. To exploit this vulnerability, you need to know how Outlook forms sync, using something called MAPI, and how they use certain properties and attachments when they're set up for the first time. Hackers can mess with these properties and attachments to run their own code. They do this by tricking the form's setup process, changing registry keys and files to get past Outlook's security. To show how this could be done, researchers modified Ruler, a tool for testing Outlook's security. They changed it so it could sync a harmful form with the right properties to run a specific type of file, a COM compliant native DLL. This not only showed that CVE-2024-21378 could be exploited but also that it could affect a lot of companies since so many use Microsoft Outlook. The discovery and the way it was exploited remind us that we always need to be on the lookout for security risks and work hard to protect against them. The cybersecurity world is always watching for the next big threat that could put our digital world at risk. As companies rush to fix this issue, it's a reminder of how important it is to stay ahead of these threats.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows InProcServer32 New Outlook Form - Rule", "ESCU - Windows New InProcServer32 Added - Rule", "ESCU - Windows Phishing Outlook Drop Dll In FORM Dir - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows InProcServer32 New Outlook Form", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows New InProcServer32 Added", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Outlook Drop Dll In FORM Dir", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for. If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Phemedrone Stealer", "author": "Teoderick Contreras, Splunk", "date": "2024-01-24", "version": 2, "id": "386f64dd-657b-4dcf-8eb3-5e297d30924c", "description": "Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.", "references": ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"], "narrative": "Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Debugger Tool Execution - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule", "ESCU - Windows Unsigned DLL Side-Loading In Same Process Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Debugger Tool Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading In Same Process Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "narrative": "This story was created as a joint effort between iDefense and Splunk.\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\n1. www.chemscalere[.]com\n1. chemscalere[.]com\n1. about.chemscalere[.]com\n1. autoconfig.chemscalere[.]com\n1. autodiscover.chemscalere[.]com\n1. catalog.chemscalere[.]com\n1. cpanel.chemscalere[.]com\n1. db.chemscalere[.]com\n1. ftp.chemscalere[.]com\n1. mail.chemscalere[.]com\n1. news.chemscalere[.]com\n1. update.chemscalere[.]com\n1. webmail.chemscalere[.]com\n1. www.candlelightparty[.]org\n1. candlelightparty[.]org\n1. newapp.freshasianews[.]com\nIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\n1. b43ad826fe6928245d3c02b648296b43\n1. 889a9b52566448231f112a5ce9b5dfaf\n1. b8ec65dab97cdef3cd256cc4753f0c54\n1. 04d83cd3813698de28cfbba326d7647c", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).\nThe prerequisites for successful exploitation consist of:\n1. Print Spooler service enabled on the target system\n1. Network connectivity to the target system (initial access has been obtained)\n1. Hash or password for a low privileged user ( or computer ) account.\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "tags": {"category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "tags": {"category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": []}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows MsiExec HideWindow Rundll32 Execution - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection In Non-Service SearchIndexer - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows MsiExec HideWindow Rundll32 Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection In Non-Service SearchIndexer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Change", "Network_Traffic", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Remote Access Software Usage File - Rule", "ESCU - Detect Remote Access Software Usage FileInfo - Rule", "ESCU - Detect Remote Access Software Usage Process - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Detect Remote Access Software Usage DNS - Rule", "ESCU - Detect Remote Access Software Usage Traffic - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Detect Remote Access Software Usage URL - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage FileInfo", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage DNS", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect Remote Access Software Usage Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": []}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": []}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Remote Access Software Usage URL", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "tags": {"category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic", "Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": []}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "tags": {"category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["Get Backup Logs For Endpoint", "Get History Of Email Sources", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Information For Port Activity", "Investigate Successful Remote Desktop Authentications"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": []}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": []}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "references": ["https://attack.mitre.org/techniques/T1053/"], "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded.\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party affiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Keylogger", "author": "Teoderick Contreras, Splunk", "date": "2024-02-12", "version": 1, "id": "0374f962-c66a-4a67-9a30-24b0708ef802", "description": "SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"], "narrative": "SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credential Access From Browser Password Store - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Credential Access From Browser Password Store", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Non Discord App Access Discord LevelDB", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Time Based Evasion via Choice Exec", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unsecured Outlook Credentials Access In Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2024-03-14", "version": 2, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "tags": {"category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Change", "Authentication", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows AD add Self to Group - Rule", "ESCU - Windows Increase in Group or Object Modification Activity - Rule", "ESCU - Windows Increase in User Modification Activity - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Windows AD add Self to Group", "source": "application", "type": "TTP", "tags": []}, {"name": "Windows Increase in Group or Object Modification Activity", "source": "application", "type": "TTP", "tags": []}, {"name": "Windows Increase in User Modification Activity", "source": "application", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": []}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email.\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack.\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security.\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\n1. The .lnk file executes a PowerShell script\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella,Rod Soto, Eric McGinnis, Splunk", "date": "2024-01-22", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Splunk_Audit"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Authentication Token Exposure in Debug Log - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk CSRF in the SSG kvstore Client Endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DoS via POST Request Datamodel Endpoint - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule", "ESCU - Splunk Information Disclosure on Account Login - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE PDFgen Render - Rule", "ESCU - Splunk RCE via External Lookup Copybuckets - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS conf-web Settings on Premises - Rule", "ESCU - Splunk Stored XSS via Data Model objectName Field - Rule", "ESCU - Splunk Stored XSS via Specially Crafted Bulletin Message - Rule", "ESCU - Splunk Unauthenticated DoS via Null Pointer References - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk Unauthenticated Path Traversal Modules Messaging - Rule", "ESCU - Splunk Unauthorized Experimental Items Creation - Rule", "ESCU - Splunk Unauthorized Notification Input by User - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS Privilege Escalation via Custom Urls in Dashboard - Rule", "ESCU - Splunk XSS Via External Urls in Dashboards SSRF - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Eric McGinnis, Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": []}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Authentication Token Exposure in Debug Log", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk CSRF in the SSG kvstore Client Endpoint", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk DoS via POST Request Datamodel Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise KV Store Incorrect Authorization", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Enterprise Windows Deserialization File Partition", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk Information Disclosure in Splunk Add-on Builder", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Information Disclosure on Account Login", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE PDFgen Render", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk RCE via External Lookup Copybuckets", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS conf-web Settings on Premises", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Data Model objectName Field", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Stored XSS via Specially Crafted Bulletin Message", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated DoS via Null Pointer References", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthenticated Path Traversal Modules Messaging", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Experimental Items Creation", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk Unauthorized Notification Input by User", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": []}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Privilege Escalation via Custom Urls in Dashboard", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS Via External Urls in Dashboards SSRF", "source": "application", "type": "Hunting", "tags": []}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": []}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": []}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:\n- Java Development Kit (JDK) 9 or greater\n- Apache Tomcat as the Servlet container\n- Packaged as a WAR\n- spring-webmvc or spring-webflux dependency\n", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": []}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": []}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": []}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": []}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": []}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/"], "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses.\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS S3 Bucket details via bucketName", "Get All AWS Activity From IP Address", "Get Notable History", "Investigate AWS activities via region name"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": []}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network.\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\nAttackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "AWS Network ACL Details from ID", "AWS Network Interface details via resourceId", "Get All AWS Activity From IP Address", "Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Process Info", "Get Process Information For Port Activity", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Authentication"], "kill_chain_phases": []}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["Get Notable History", "Investigate AWS User Activities by user field"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": []}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Attribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN", "Get All AWS Activity From IP Address"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS AMI Attribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": []}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": []}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule", "ESCU - Cloud Security Groups Modifications by User - Rule"], "investigation_names": ["AWS Investigate User Activities By ARN"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": []}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Cloud Security Groups Modifications by User", "source": "cloud", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe).\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file.\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis.\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": []}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["Get DNS Server History for a host", "Get DNS traffic ratio", "Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Process Responsible For The DNS Traffic"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": []}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": []}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\nOnce a phishing message has been detected, the next steps are to answer the following questions:\n1. Which users have received this or a similar message in the past?\n1. When did the targeted campaign begin?\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email"], "kill_chain_phases": []}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["Get Email Info", "Get Emails From Specific Sender", "Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": []}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": []}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "tags": {"category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": []}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": []}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\n1. Determine if script code was executed with MSHTA.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Windows MSHTA Writing to World Writable Path - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSHTA Writing to World Writable Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom.\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important.\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Okta IDP Lifecycle Modifications - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": ["Investigate Okta Activity by app", "Investigate Okta Activity by IP Address", "Investigate User Activities In Okta"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Okta IDP Lifecycle Modifications", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": []}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Anomaly", "tags": []}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Account Locked Out", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Account Lockout Events", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta Failed SSO Attempts", "source": "deprecated", "type": "Anomaly", "tags": []}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "deprecated", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\nThe registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\nThe searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info", "Get Sysmon WMI Activity for Host"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["Get Process File Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\nTriage\nValidate execution\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\n1. Determine if script code was executed with MSBuild.\nSituational Awareness\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\nRetrieval of script code\nThe objective of this step is to confirm the executed script code is benign or malicious.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["Get Notable History", "Get Process Information For Port Activity"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": []}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": []}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": []}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": []}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering. Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.\nThey issue commands via the command line to: 1. collect data, including credentials from local and network systems,\n2. put the data into an archive file to stage it for exfiltration, and then\n3. use the stolen valid credentials to maintain persistence.\nIn addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "tags": {"category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "tags": {"category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows AppLocker", "author": "Michael Haag, Splunk", "date": "2024-03-21", "version": 1, "id": "7911b245-e74d-48db-b1cf-69f3eb02ca55", "description": "Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications.", "references": [], "narrative": "AppLocker, a built-in Windows security feature, provides organizations with the ability to control application usage across their networks. It enables administrators to define rules based on file names, publishers, and file hashes to allow or deny the execution of applications. This level of control helps in preventing malware and unlicensed software from running, thereby enhancing the security posture of an organization. \\\nOrganizations should leverage AppLocker for several reasons. Firstly, it aids in the enforcement of software compliance policies by ensuring that only licensed and approved applications are run on the network. Secondly, by restricting the execution of unauthorized applications, AppLocker significantly reduces the attack surface, making it harder for attackers to exploit vulnerabilities in unapproved software. Thirdly, AppLocker's ability to log attempts to run unauthorized applications provides valuable insights for security monitoring and incident response activities. This logging capability enables organizations to detect and respond to potential security threats in real time. \\\nIn summary, AppLocker is a critical security tool that helps organizations manage application usage, enforce compliance policies, and mitigate security risks. By implementing AppLocker policies, organizations can achieve a robust security posture, protecting their assets from unauthorized software and potential cyber threats.", "tags": {"category": ["Unauthorized Software", "Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows AppLocker Block Events - Rule", "ESCU - Windows AppLocker Execution from Uncommon Locations - Rule", "ESCU - Windows AppLocker Privilege Escalation via Unauthorized Bypass - Rule", "ESCU - Windows AppLocker Rare Application Launch Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows AppLocker Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows AppLocker Execution from Uncommon Locations", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows AppLocker Privilege Escalation via Unauthorized Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AppLocker Rare Application Launch Detection", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "tags": {"category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "references": ["https://attack.mitre.org/techniques/T1649/"], "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web", "Updates", "Endpoint", "Risk", "Change"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known Abused DLL Created - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Known Abused DLL Created", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect AzureHound Command-Line Arguments - Rule", "ESCU - Detect AzureHound File Modifications - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Traffic to Active Directory Web Services Protocol - Rule", "ESCU - System Information Discovery Detection - Rule", "ESCU - Windows SOAPHound Binary Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Detect AzureHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect AzureHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Traffic to Active Directory Web Services Protocol", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "System Information Discovery Detection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows SOAPHound Binary Execution", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["Get Notable History"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": []}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": []}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Installed - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Vulnerable Driver Installed", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874.\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access.\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers.\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications.\nSince its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe.\nAttackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": []}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": []}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation Suspicious Process Elevation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation System Process Without System Parent", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Privilege Escalation User Process Spawn System Process", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates", "Endpoint", "Risk", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Change Win Defender Health Check Intervals - Rule", "ESCU - Windows Impair Defense Change Win Defender Quick Scan Interval - Rule", "ESCU - Windows Impair Defense Change Win Defender Throttle Rate - Rule", "ESCU - Windows Impair Defense Change Win Defender Tracing Level - Rule", "ESCU - Windows Impair Defense Configure App Install Control - Rule", "ESCU - Windows Impair Defense Define Win Defender Threat Action - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defense Disable Controlled Folder Access - Rule", "ESCU - Windows Impair Defense Disable Defender Firewall And Network - Rule", "ESCU - Windows Impair Defense Disable Defender Protocol Recognition - Rule", "ESCU - Windows Impair Defense Disable PUA Protection - Rule", "ESCU - Windows Impair Defense Disable Realtime Signature Delivery - Rule", "ESCU - Windows Impair Defense Disable Web Evaluation - Rule", "ESCU - Windows Impair Defense Disable Win Defender App Guard - Rule", "ESCU - Windows Impair Defense Disable Win Defender Compute File Hashes - Rule", "ESCU - Windows Impair Defense Disable Win Defender Gen reports - Rule", "ESCU - Windows Impair Defense Disable Win Defender Network Protection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Report Infection - Rule", "ESCU - Windows Impair Defense Disable Win Defender Scan On Update - Rule", "ESCU - Windows Impair Defense Disable Win Defender Signature Retirement - Rule", "ESCU - Windows Impair Defense Overide Win Defender Phishing Filter - Rule", "ESCU - Windows Impair Defense Override SmartScreen Prompt - Rule", "ESCU - Windows Impair Defense Set Win Defender Smart Screen Level To Warn - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Health Check Intervals", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Quick Scan Interval", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Throttle Rate", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Change Win Defender Tracing Level", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Configure App Install Control", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Define Win Defender Threat Action", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Impair Defense Disable Controlled Folder Access", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Firewall And Network", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Defender Protocol Recognition", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable PUA Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Realtime Signature Delivery", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Web Evaluation", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender App Guard", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Compute File Hashes", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Gen reports", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Network Protection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Report Infection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Scan On Update", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Disable Win Defender Signature Retirement", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Overide Win Defender Phishing Filter", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Override SmartScreen Prompt", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defense Set Win Defender Smart Screen Level To Warn", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": []}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["Get Notable History", "Get Parent Process Info", "Get Process Info"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds.\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses.\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation.\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "references": ["https://cert.gov.ua/article/3761023"], "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": []}]}, {"name": "WordPress Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2024-02-22", "version": 1, "id": "baeaee14-e439-4c95-91e8-aaedd8265c1c", "description": "This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "references": ["https://attack.mitre.org/techniques/T1190", "https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600", "https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/", "https://thehackernews.com/2024/02/wordpress-bricks-theme-under-active.html"], "narrative": "The following collection of analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - WordPress Bricks Builder plugin RCE - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WordPress Bricks Builder plugin RCE", "source": "web", "type": "TTP", "tags": []}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": []}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": []}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "tags": {"category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": []}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": []}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": []}]}, {"name": "Zscaler Browser Proxy Threats", "author": "Rod Soto, Gowthamaraj Rajendran", "date": "2023-10-25", "version": 1, "id": "5d4ba315-39df-4309-982f-a7052efccffd", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment.", "references": ["https://threatlibrary.zscaler.com/", "https://help.zscaler.com/zia/about-threat-categories"], "narrative": "Zscaler Client Connector is an application installed on your device to ensure that your internet traffic and access to your organization's internal apps are secure and in compliance with your organization's policies, even when you're off your corporate network.", "tags": {"category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Risk"], "kill_chain_phases": []}, "detection_names": ["ESCU - Zscaler Adware Activities Threat Blocked - Rule", "ESCU - Zscaler Behavior Analysis Threat Blocked - Rule", "ESCU - Zscaler CryptoMiner Downloaded Threat Blocked - Rule", "ESCU - Zscaler Employment Search Web Activity - Rule", "ESCU - Zscaler Exploit Threat Blocked - Rule", "ESCU - Zscaler Legal Liability Threat Blocked - Rule", "ESCU - Zscaler Malware Activity Threat Blocked - Rule", "ESCU - Zscaler Phishing Activity Threat Blocked - Rule", "ESCU - Zscaler Potentially Abused File Download - Rule", "ESCU - Zscaler Privacy Risk Destinations Threat Blocked - Rule", "ESCU - Zscaler Scam Destinations Threat Blocked - Rule", "ESCU - Zscaler Virus Download threat blocked - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran", "author_name": "Rod Soto", "detections": [{"name": "Zscaler Adware Activities Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Behavior Analysis Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler CryptoMiner Downloaded Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Employment Search Web Activity", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Exploit Threat Blocked", "source": "web", "type": "TTP", "tags": []}, {"name": "Zscaler Legal Liability Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Malware Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Phishing Activity Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Potentially Abused File Download", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Privacy Risk Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Scam Destinations Threat Blocked", "source": "web", "type": "Anomaly", "tags": []}, {"name": "Zscaler Virus Download threat blocked", "source": "web", "type": "Anomaly", "tags": []}]}]} \ No newline at end of file diff --git a/dist/api/version.json b/dist/api/version.json index e684291f09..3378b7668a 100644 --- a/dist/api/version.json +++ b/dist/api/version.json @@ -1,5 +1 @@ -<<<<<<< HEAD -{"version": {"name": "v4.35.0", "published_at": "2024-07-24T11:19:51Z"}} -======= -{"version": {"name": "v4.35.0", "published_at": "2024-07-17T00:25:05Z"}} ->>>>>>> develop +{"version": {"name": "v4.35.0", "published_at": "2024-07-24T11:51:57Z"}} \ No newline at end of file diff --git a/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml index e52376e9f2..15feb691b9 100644 --- a/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml +++ b/dist/ssa/srs/ssa___create_local_admin_accounts_using_net_exe.yml @@ -1,7 +1,7 @@ name: Create Local Admin Accounts Using Net Exe -id: 2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7 +id: 890f0937-5a83-48fb-b793-68f792ded5db version: 3 -status: validation +status: production detection_type: STREAMING description: The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access @@ -55,7 +55,7 @@ search: ' $main = from source | eval timestamp = time | eval metadata_uid = me risk_level_id = 1, risk_score = 30, severity_id = 0, - rule = {"name": "Create Local Admin Accounts Using Net Exe", "uid": "2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7", "type": "Streaming"}, + rule = {"name": "Create Local Admin Accounts Using Net Exe", "uid": "890f0937-5a83-48fb-b793-68f792ded5db", "type": "Streaming"}, metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, type_uid = 10200101, start_time = timestamp, @@ -84,7 +84,7 @@ tags: risk_score: 30 security_domain: endpoint risk_severity: low - research_site_url: https://research.splunk.com/endpoint/2dbdfc95-9c0f-433e-95f1-a376f1ae8bf7/ + research_site_url: https://research.splunk.com/endpoint/890f0937-5a83-48fb-b793-68f792ded5db/ event_schema: ocsf mappings: - ocsf: process.pid diff --git a/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml b/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml index b0c7b5e254..725b8cec8f 100644 --- a/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml +++ b/dist/ssa/srs/ssa___create_local_user_accounts_using_net_exe.yml @@ -1,7 +1,7 @@ name: Create Local User Accounts Using Net Exe -id: 1ee0fff0-9642-421b-8e13-9aa6fba4ace3 +id: 3e66edb4-b4dc-4b65-b57f-779a88d7d1d9 version: 6 -status: validation +status: production detection_type: STREAMING description: The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access @@ -51,7 +51,7 @@ search: ' $main = from source | eval timestamp = time | eval metadata_uid = me risk_level_id = 0, risk_score = 9, severity_id = 0, - rule = {"name": "Create Local User Accounts Using Net Exe", "uid": "1ee0fff0-9642-421b-8e13-9aa6fba4ace3", "type": "Streaming"}, + rule = {"name": "Create Local User Accounts Using Net Exe", "uid": "3e66edb4-b4dc-4b65-b57f-779a88d7d1d9", "type": "Streaming"}, metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, type_uid = 10200101, start_time = timestamp, @@ -80,7 +80,7 @@ tags: risk_score: 9 security_domain: endpoint risk_severity: low - research_site_url: https://research.splunk.com/endpoint/1ee0fff0-9642-421b-8e13-9aa6fba4ace3/ + research_site_url: https://research.splunk.com/endpoint/3e66edb4-b4dc-4b65-b57f-779a88d7d1d9/ event_schema: ocsf mappings: - ocsf: process.pid diff --git a/dist/ssa/srs/ssa___deleting_shadow_copies.yml b/dist/ssa/srs/ssa___deleting_shadow_copies.yml index f59d8eb1e2..963ae99dbc 100644 --- a/dist/ssa/srs/ssa___deleting_shadow_copies.yml +++ b/dist/ssa/srs/ssa___deleting_shadow_copies.yml @@ -1,7 +1,7 @@ name: Deleting Shadow Copies -id: fd40c537-53d0-4c28-9b7e-77cfd28a49c8 +id: 19c85f5e-24a5-4355-a430-db9a58d1dc15 version: 5 -status: validation +status: production detection_type: STREAMING description: The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search @@ -38,7 +38,7 @@ search: ' $main = from source | eval timestamp = time | eval metadata_uid = me risk_level_id = 3, risk_score = 64, severity_id = 0, - rule = {"name": "Deleting Shadow Copies", "uid": "fd40c537-53d0-4c28-9b7e-77cfd28a49c8", "type": "Streaming"}, + rule = {"name": "Deleting Shadow Copies", "uid": "19c85f5e-24a5-4355-a430-db9a58d1dc15", "type": "Streaming"}, metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()}, type_uid = 10200101, start_time = timestamp, @@ -71,7 +71,7 @@ tags: risk_score: 64 security_domain: endpoint risk_severity: medium - research_site_url: https://research.splunk.com/endpoint/fd40c537-53d0-4c28-9b7e-77cfd28a49c8/ + research_site_url: https://research.splunk.com/endpoint/19c85f5e-24a5-4355-a430-db9a58d1dc15/ event_schema: ocsf mappings: - ocsf: process.pid diff --git a/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml b/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml index ee64bdead5..d623a06bc3 100644 --- a/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml +++ b/dist/ssa/srs/ssa___executable_file_written_in_administrative_smb_share.yml @@ -21,7 +21,7 @@ search: ' $main = from source | eval timestamp = time | eval metadata_uid = me "\\%\\admin$") AND access_mask=2 | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}], time = timestamp, - evidence = {, "sourceType": metadata.source_type, "source": metadata.source}, + evidence = {"share": share, "file.type": file_type, "access_mask": access_mask, "actor.user.domain": actor_user_domain, "src_endpoint.ip": src_endpoint_ip, "access_result": access_result, "file.path": file_path, "src_endpoint.port": src_endpoint_port, "actor.user.name": actor_user_name, "actor.session.uid": actor_session_uid, "actor.user.uid": actor_user_uid, "access_list": access_list, "device.hostname": device_hostname, "sourceType": metadata.source_type, "source": metadata.source}, message = "Executable File Written in Administrative SMB Share has been triggered on " + device_hostname + " by " + actor_user_name + ".", users = [{"name": actor_user_name, "uuid": actor_user.uuid, "uid": actor_user.uid}], activity_id = 1, diff --git a/lookups/data_sources.csv b/lookups/data_sources.csv index e398a6a593..3b7ea9de79 100644 --- a/lookups/data_sources.csv +++ b/lookups/data_sources.csv @@ -47,6 +47,7 @@ AWS CloudTrail UpdateAccountPasswordPolicy,35a8cc97-3600-40e1-a5d1-1c2ad5060be0, AWS CloudTrail UpdateLoginProfile,1db79158-e5d3-4d35-9d3c-586e44e09f1c,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateLoginProfile AWS CloudTrail UpdateSAMLProvider,e5eb628d-711e-499c-87d9-8fa5dee419ec,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateSAMLProvider AWS CloudTrail UpdateTrail,d5b7a1eb-711a-4c96-aa93-235fe3c8a939,"Patrick Bareiss, Splunk",aws_cloudtrail,aws:cloudtrail,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudTrail UpdateTrail +AWS CloudWatchLogs VPCflow,38a34fc4-e128-4478-a8f4-7835d51d5135,"Bhavin Patel, Splunk",aws_cloudwatchlogs_vpcflow,aws:cloudwatchlogs:vpcflow,eventName,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS CloudWatchLogs VPCflow AWS Security Hub,b02bfbf3-294f-478e-99a1-e24b8c692d7e,"Patrick Bareiss, Splunk",aws_securityhub_finding,aws:securityhub:finding,,Splunk Add-on for Amazon Web Services (AWS),7.4.1,https://splunkbase.splunk.com/app/1876,Data source object for AWS Security Hub Azure Active Directory,51ca21e5-bda2-4652-bb29-27c7bc18a81c,"Patrick Bareiss, Splunk",Azure AD,azure:monitor:aad,operationName,Splunk Add-on for Microsoft Cloud Services,5.2.2,https://splunkbase.splunk.com/app/3110,Data source object for Azure Active Directory Azure Active Directory Add app role assignment to service principal,8b2e84cd-6db0-47e9-badc-75c17df1995f,"Patrick Bareiss, Splunk",Azure AD,azure:monitor:aad,operationName,Splunk Add-on for Microsoft Cloud Services,5.2.2,https://splunkbase.splunk.com/app/3110,Data source object for Azure Active Directory Add app role assignment to service principal @@ -186,6 +187,7 @@ Windows Event Log Security 5141,eafb35fa-f034-4be3-8508-d9173a73c0a1,"Patrick Ba Windows Event Log Security 5145,0746479b-7b82-4d7e-8811-0b35da00f798,"Patrick Bareiss, Splunk",XmlWinEventLog:Security,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log Security 5145 Windows Event Log System 4720,f01d4758-05c8-4ac4-a9a5-33500dd5eb6c,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4720 Windows Event Log System 4726,05e6b2df-b50e-441b-8ac8-565f2e80d62f,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4726 +Windows Event Log System 4728,4549f0ac-3df9-4bfb-bea5-1459690c8040,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 4728 Windows Event Log System 7036,a6e9b34f-1507-4fa1-a4ba-684d1b676a34,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7036 Windows Event Log System 7040,91738e9e-d112-41c9-b91b-e5868d8993d9,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7040 Windows Event Log System 7045,614dedc8-8a14-4393-ba9b-6f093cbcd293,"Patrick Bareiss, Splunk",XmlWinEventLog:System,xmlwineventlog,EventCode,Splunk Add-on for Microsoft Windows,8.8.0,https://splunkbase.splunk.com/app/742,Data source object for Windows Event Log System 7045